[FIXED] Security Vulnerability in downloadCustomOptionAction

 

Magento version All Magento 1 versions
Cart2Quote version v4.2.0 and above
Affected files

app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php

app/code/community/Ophirah/Qquoteadv/Helper/Data.php 

Occurrence

When you use custom file options on a product.

Reason The usage of a unserialize function in PHP when receiving this from a GET request. This can potentially be used for Remote Code Execution.
Solution

Replace the unserialize and serialize functions by json_decode and json_encode functions.

You can simply download and apply a patch provided below to solve the issue.

 

Patches:

Cart2Quote v4.1.6 Download
Cart2Quote v4.2.0 Download
Cart2Quote v4.2.01 Download
Cart2Quote v4.2.02 Download
Cart2Quote v4.2.1 Download
Cart2Quote v4.2.11 Download
Cart2Quote v4.2.2 Download
Cart2Quote v4.2.3 Download
Cart2Quote v4.2.11 Download
Cart2Quote v4.3.0 Download
Cart2Quote v4.3.1 Download
Cart2Quote v4.3.3 Download
Cart2Quote v4.3.4 Download
Cart2Quote v4.3.6 Download
Cart2Quote v4.4.0 Download
Cart2Quote v4.4.1 Download
Cart2Quote v4.4.2 Download
Cart2Quote v4.4.3 Download
Cart2Quote v4.4.4 Download
Cart2Quote v4.4.5 Download
Cart2Quote v5.0.1 Download
Cart2Quote v5.0.3 Download
Cart2Quote v5.0.4 Download
Cart2Quote v5.0.5 Download
Cart2Quote v5.0.10 Download
Cart2Quote v5.1.0 Download
Cart2Quote v5.1.1 Download
Cart2Quote v5.1.2 Download
Cart2Quote v5.1.3 Download
Cart2Quote v5.1.4 Download
Cart2Quote v5.1.5 Download
Cart2Quote v5.2.0 Download
Cart2Quote v5.2.1 Download
Cart2Quote v5.2.2 Download
Cart2Quote v5.2.3 Download
Cart2Quote v5.2.4 Download
Cart2Quote v5.2.5 Download
Cart2Quote v5.2.6 Download
Cart2Quote v5.2.7 Download
Cart2Quote v5.2.8 Download
Cart2Quote v5.2.9 Download
Cart2Quote v5.3.0 Download
Cart2Quote v5.3.1 Download
Cart2Quote v5.3.2 Download
Cart2Quote v5.4.0 Download
Cart2Quote v5.4.1 Download
Cart2Quote v5.4.2 Download
Cart2Quote v5.4.3 Download
Cart2Quote v5.4.4 Download

 

 

Have more questions? Submit a request

10 Comments

  • 0
    Avatar
    Magento Support

    The patch for v5.2.8 is missing these functions in Data.php:

    • checkQuickQuote
    • canUseQuickQuoteAssets

    I checked 5.2.7 - they are also missing from that version.

    The functions are present in 5.2.9.

    I haven't checked any other versions. I'm guessing I can just copy and paste the relevant code from another version of the file, but would rather do this via a revised security patch..

    Edited by Magento Support
  • 0
    Avatar
    Ravinder Singh

    It's listed that 

     

    Cart2Quote version v4.2.0 and above has the vulnerability. 

    But patch list doesn't contain a patch for  v4.2.0

       

     

  • 0
    Avatar
    The Development Team

    @Ravinder Singh

    Thank you for noticing that. We have updated the list of patches.

     

    Kind regards,

    Daniel Donselaar

  • 0
    Avatar
    Ravinder Singh

    Hi Daniel,  

     

    Thanks for the update. But the file app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php in patch for v 4.2.0 seems to be exactly same as of we are already having. It means it still contains unserialize function.

  • 0
    Avatar
    The Development Team

    Hello Ravinder,

    On line 643 we updated the following code:

    $option->setId(base64_encode(serialize($optionIdData)));

    to:

    $option->setId(base64_encode(json_encode($optionIdData)));

    This will solve the security issue. The other unserialize functions aren't causing any security issue because the serialized data is not being passed via a request.

    Please feel free to contact me if you need any further information.

    Kind regards,

    Daniel Donselaar

  • 0
    Avatar
    Ravinder Singh

    Daniel,

     

    So for v4.2.0 only app/code/community/Ophirah/Qquoteadv/Helper/Data.php needs to be updated.

    As file app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php in patch is identical to file of version of v4.2.0

  • 0
    Avatar
    The Development Team

    @Magento Support

    Thank you for your reply.

    The official release of 5.2.7 does not contain the following functions:

    • checkQuickQuote
    • canUseQuickQuoteAssets

    I can confirm that the official release of 5.2.8 does contain the functions. We have updated the version with the correct updated Data.php helper. Apologies for any inconvenience.

    Please feel free to contact me if you need any further information.

    Kind regards,

    Daniel Donselaar

  • 0
    Avatar
    The Development Team

    @Ravinder Singh

    Thank you for your feedback!

    Can you try to download the v4.2.0 again?

     

    Please feel free to contact me if you need any further information.

    Kind regards,

    Daniel Donselaar

  • 0
    Avatar
    Monique Kleine

    Hi there,

    We had 5.3.0 running so I downloaded the patch but Data.php is only 1275 lines long compared to the original before the patch which is double the size (2184 lines). Is half the file missing?

  • 0
    Avatar
    The Development Team

    Hi Monique,

    I checked the data.php file in the 5.3.0 patch, but that file is correct. 

    Are you certain you've downloaded the right patch? If you need further assistance, please contact our support team (support@cart2quote.com) for a quicker response, 

    Please feel free to contact me if you need any further information.

    Kind regards,

    Lennart van der Garde

Please sign in to leave a comment.
Powered by Zendesk