Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adminhtml sales view - Escape remoteIp #5200

Merged
merged 1 commit into from
Aug 12, 2016
Merged

Adminhtml sales view - Escape remoteIp #5200

merged 1 commit into from
Aug 12, 2016

Conversation

convenient
Copy link
Contributor

It is quite trivial to make the remoteIp field map to something other than the REMOTE_ADDR header. Adding the following to app/etc/di.xml will allow you to use HTTP_X_FORWARDED_FOR as the header you're interested in. With this change a customer can spoof their x forwarded header and inject javascript which will run when an admin views the order in the admin panel.

<type name="Magento\Framework\HTTP\PhpEnvironment\RemoteAddress">
    <arguments>
        <argument name="alternativeHeaders" xsi:type="array">
            <item name="http_x_forwarded_for" xsi:type="string">HTTP_X_FORWARDED_FOR</item>
        </argument>
    </arguments>
</type>

A developer may decide to make this change at some point when they want to force all calls to RemoteAddress::getRemoteAddress() to use the X_FORWARDED_FOR instead. Maybe they're working on a plugin that requires it, and have many proxies between the customer and the Magento server. Maybe they just want to hook into some useful related functionality. ¯_(ツ)_/¯

This vulnerability isn't in the wild for M2 as it requires specific developer changes but I know the plugin ecosystem for M1 had many strange modules, this small change should help protect us from future laziness/craziness.

Either way, this is easily preventable. Simply escaping the output with $block->escapeHtml() will do the trick.

@convenient
Adminhtml sales view - Escape remoteIp
4feec4f 
It is quite trivial to make the remoteIp field map to something other than the REMOTE_ADDR header. Adding the following to `app/etc/di.xml` will allow you to use HTTP_X_FORWARDED_For as the header you're interested in. With this change a customer can spoof their x forwarded header and inject javascript which will run when an admin views the order in the admin panel.

 ```
<type name="Magento\Framework\HTTP\PhpEnvironment\RemoteAddress">
    <arguments>
        <argument name="alternativeHeaders" xsi:type="array">
            <item name="http_x_forwarded_for" xsi:type="string">HTTP_X_FORWARDED_FOR</item>
        </argument>
    </arguments>
</type>
```

A developer may decide to make this change at some point when they want to force all calls to RemoteAddress::getRemoteAddress() to use the X_FORWARDED_FOR instead. Maybe they're working on a plugin that requires it, and have many proxies between the customer and the Magento server.

This vulnerability isn't in the wild for M2 as it requires specific developer changes but I know the plugin ecosystem for M1 had many strange modules, this small change should help protect us from future laziness/craziness.

Either way, this is easily preventable. Simply escaping the output with $block->escapeHtml() will do the trick.
@NadiyaS
Copy link
Contributor

NadiyaS commented Jun 27, 2016

Hi @convenient ,
thank you for your contribution. Internal ticket MAGETWO-54782 was created to process your PR.

@NadiyaS NadiyaS added the Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development label Jun 27, 2016
@convenient
Copy link
Contributor Author

Thanks @NadiyaS. Internally for you guys this also references APPSEC-1474, although it was deemed a non-issue as it requires developer tweaking to expose it.

@vkorotun vkorotun added Component: Sales bug report bugfix and removed CS Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development bug report labels Aug 3, 2016
@sshrewz sshrewz added the linked label Aug 11, 2016
@mmansoor-magento mmansoor-magento merged commit 4feec4f into magento:develop Aug 12, 2016
mmansoor-magento pushed a commit that referenced this pull request Aug 12, 2016
@irenelagno
MAGETWO-54782: [GITHUB] Adminhtml sales view #5200
fdd30a5
mmansoor-magento pushed a commit that referenced this pull request Aug 12, 2016
@irenelagno
MAGETWO-54782: [GITHUB] Adminhtml sales view #5200
a251d38
@convenient convenient deleted the feature/adminhtml-slight-potential-for-xss-order-remoteip branch August 12, 2016 15:49
@vkorotun vkorotun added Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development and removed linked labels Aug 22, 2016
magento-engcom-team pushed a commit that referenced this pull request Jan 15, 2020
@omiroshnichenko
Merge pull request #5200 from magento-obsessive-owls/MC-23535
0ff7d22 
MC-23535: [2.4] Fix Skipped MFTF Tests MC-28537
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@NadiyaS NadiyaS

Labels
bugfix Component: Sales Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development Progress: accept
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@convenient @NadiyaS @vkublytskyi @mmansoor-magento @vkorotun @MomotenkoNatalia @sshrewz