Merge pull request #2 from wubinworks/v1.1.0

Code optimization and compatibility extended to Magento 2.3

.gitignore

@@ -1,4 +1,4 @@
-# Wubinworks_CosmicStingPatch
+# Wubinworks Magento module .gitignore
 
 *.bak
 *.bak.*

Model/Exception/InvalidArgumentException.php

@@ -0,0 +1,14 @@
+<?php
+/**
+ * Copyright © Wubinworks. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Wubinworks\CosmicStingPatch\Model\Exception;
+
+/**
+ * Exception thrown if XML string contains ENTITY
+ */
+class InvalidArgumentException extends \InvalidArgumentException
+{
+}

Framework/Simplexml/Element.php → Model/Simplexml/Element.php

@@ -5,30 +5,27 @@
  */
 declare(strict_types=1);
 
-namespace Wubinworks\CosmicStingPatch\Framework\Simplexml;
+namespace Wubinworks\CosmicStingPatch\Model\Simplexml;
 
-use Wubinworks\CosmicStingPatch\Xml\Security as XmlSecurity;
+use Magento\Framework\App\ObjectManager;
+use Wubinworks\XmlSecurity\Model\Xml\Security as XmlSecurity;
 
 /**
- * A safer SimpleXMLElement
- * Patch for CVE-2024-34102(aka CosmicSting)
- *
- * @see https://nvd.nist.gov/vuln/detail/CVE-2024-34102
- * @see https://helpx.adobe.com/security/products/magento/apsb24-40.html
- * @see https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102
+ * A secure SimpleXMLElement that does not allow ENTITY
+ * An alternative solution for CVE-2024-34102(aka Cosmic Sting)
  */
 class Element extends \Magento\Framework\Simplexml\Element
 {
     /**
-     * PHP SimpleXMLElement constructor
+     * Constructor
      *
      * @param string $data
      * @param int $options
      * @param bool $dataIsURL
      * @param string $namespaceOrPrefix
      * @param bool $isPrefix
      *
-     * @throws \Laminas\Xml\Exception\InvalidArgumentException
+     * @throws \Wubinworks\CosmicStingPatch\Model\Exception\InvalidArgumentException
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function __construct(
@@ -38,11 +35,14 @@ public function __construct(
         string $namespaceOrPrefix = "",
         bool $isPrefix = false
     ) {
-        if (XmlSecurity::hasEntity($data)) {
-            throw new \Laminas\Xml\Exception\InvalidArgumentException(
+        /** @var \Magento\Framework\Xml\Security $xmlSecurity */
+        $xmlSecurity = ObjectManager::getInstance()->get(XmlSecurity::class);
+        if (!$xmlSecurity->scan($data)) {
+            throw new \Wubinworks\CosmicStingPatch\Model\Exception\InvalidArgumentException(
                 'Input XML string should not contain ENTITY.'
             );
         }
+
         parent::__construct(
             $data,
             $options,

README.md

@@ -1,21 +1,101 @@
-# Magento 2 patch for CVE-2024-34102(aka CosmicSting)
-**Another way(as an extension) to hotfix the security hole if you cannot apply the official patch or cannot upgrade Magento.**
+# Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)
 
-# Description
+**Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.**
 
-### Impact
+**_If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks._**
 
-The attacker makes use of this security hole may read secret files(eg: encryption key in `env.php`) on the server.\
-With those secrets, the attacker can perform unauthorized actions(eg: by creating admin JSON Web Token `JWT`).
+[![Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)](https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/CosmicStingPatch/cosmic-sting-patch-v1.1.jpg "Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)")](https://www.wubinworks.com/cosmic-sting-patch.html)
 
-### More Info
+## CVE-2024-34102 Affected Magento Versions(starting from 2.3)
 
-[CVE-2024-34102](https://nvd.nist.gov/vuln/detail/CVE-2024-34102)\
-[Official Patch](https://helpx.adobe.com/security/products/magento/apsb24-40.html)
+2.3.0 ~ 2.4.4-p8  
+2.4.5 ~ 2.4.5-p7  
+2.4.6 ~ 2.4.6-p5  
+2.4.7
 
-# Requirements
-**Magento 2.4**
+## Background
+
+[CVE-2024-34102](https://cve.org/CVERecord?id=CVE-2024-34102)(aka Cosmic Sting) was identified as XXE vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.  
+Typically, the attacker will extract encryption keys in `env.php`.
+
+In most hacked servers, we observed one or multiple of the followings:
+ - Admin level WebAPI access with fake token
+ - Fake orders
+ - Unknown Admin accounts created
+ - Backdoors
+ - Magento core files modified
+ - PHP script that steals sales data
+ - Inject Javascript to CMS pages to steal credit cards
+ - And maybe more
+
+If you want to know _"How Exactly It Works"_, we have very detailed blog posts that [examine](https://www.wubinworks.com/blog/post/cve-2024-34102-cosmic-sting-attack) and [fix](https://www.wubinworks.com/blog/post/cve-2024-34102-aka-cosmicsting-how-to-defend) the vulnerability.
+
+## Secondary Disasters(Very Important)
+
+### Fake Admin Token
+
+The attacker can craft fake Admin Token by using the stolen encryption key. With the fake Admin Token, the attacker is able to perform Admin level actions such as creating fake orders, modifying CMS Block to inject malicious Javascript and more.
+
+### Chained with CVE-2024-2961
+
+> XXEs are now RCEs
+
+As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug([CVE-2024-2961](https://www.cve.org/CVERecord?id=CVE-2024-2961)) discovered in `glibc` to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed.  
+The `glibc` bug exists in `glibc` version <= 2.3.9
+
+##### Check `glibc` version by running
+
+```
+ldd --version | grep -i 'libc'
+```
+
+## How to fix?
+
+### Fix CVE-2024-34102
+
+There are 3 Ways Available:
+
+ - Upgrade Magento to an unaffected version(preferably the latest version)
+ - Apply [official isolated patch](https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102#isolated-patch-details)
+ - Install this extension
+
+**_Note you still need to fix "Secondary Disasters" after completing the above step._**
+
+### Rotate Encryption Key
+
+This step invalidates crafted fake tokens to completely deny WebAPI access from attacker.  
+_If you are unsure whether encryption keys are leaked or not, do this step._
+
+##### More Info
+
+Some Magento 2.4 versions have a bug that you need to apply a [patch](https://github.com/wubinworks/magento2-jwt-auth-patch) before performing key rotation.
+
+[How to rotate encryption key?](https://www.wubinworks.com/blog/post/magento2-rotate-encryption-key)
+
+[Alternative Encryption Key Rotation Tool](https://github.com/wubinworks/magento2-encryption-key-manager-cli)
+
+[New Magento encryption key format](https://www.wubinworks.com/blog/post/new-encryption-key-format-introduced-on-magento-2.4.7)
+
+### Fix `glibc` Bug(Highly Recommended)
+
+Update `glibc` to >= 2.40 to fix CVE-2024-2961.
+
+## Requirements
+
+Magento 2.3  
+Magento 2.4
+
+## Installation
 
-# Installation
-Note: it has a dependency, so you need `composer`.\
 **`composer require wubinworks/module-cosmic-sting-patch`**
+
+_This extension requires dependencies that are not included in default Magento installation, so you need to use `composer`._
+
+## ♥
+
+If you like this extension or this extension helped you, please ★star☆ this repository.
+
+You may also like:  
+[Magento 2 patch for CVE-2022-24086, CVE-2022-24087](https://github.com/wubinworks/magento2-template-filter-patch)  
+[Magento 2 Disable Customer Change Email Extension](https://github.com/wubinworks/disable-change-email)  
+[Magento 2 Disable Customer Extension](https://github.com/wubinworks/magento2-disable-customer)

composer.json

@@ -1,20 +1,36 @@
 {
     "name": "wubinworks/module-cosmic-sting-patch",
-    "description": "Magento 2 patch for CVE-2024-34102(aka CosmicSting). Another way(as an extension) to hotfix the security hole if you cannot apply the official patch or cannot upgrade Magento.",
+    "description": "Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.",
+    "keywords": [
+        "cve-2024-34102",
+        "cosmic sting",
+        "cosmicsting",
+        "magento2",
+        "magento 2",
+        "xxe",
+        "xml entity",
+        "xml",
+        "security",
+        "xml security"
+    ],
+    "homepage": "https://www.wubinworks.com",
+    "support": {
+        "issues": "https://github.com/wubinworks/magento2-cosmic-sting-patch/issues",
+        "chat": "https://www.wubinworks.com/contact"
+    },
     "require": {
-        "php": ">=7.4",
-        "laminas/laminas-xml": "~1.4",
-        "magento/framework": "*",
-        "magento/magento2-base": "~2.4.0"
+        "php": ">=7.1",
+        "wubinworks/module-xml-security": "^1.0.1",
+        "magento/magento2-base": "~2.3.0 || ~2.4.0"
     },
     "type": "magento2-module",
-    "version": "1.0.0",
+    "version": "1.1.0",
     "license": "OSL-3.0",
     "authors": [
         {
-            "name": "Wubinworks",
-            "email": "wubinworks@outlook.com",
-            "homepage": "https://github.com/wubinworks/magento2-cosmic-sting-patch",
+            "name": "Wubinworks Dev Team",
+            "email": "extension@wubinworks.com",
+            "homepage": "https://www.wubinworks.com/cosmic-sting-patch.html",
             "role": "Developer"
         }
     ],

etc/di.xml

@@ -7,5 +7,5 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
-    <preference for="Magento\Framework\Simplexml\Element" type="Wubinworks\CosmicStingPatch\Framework\Simplexml\Element" />
+    <preference for="Magento\Framework\Simplexml\Element" type="Wubinworks\CosmicStingPatch\Model\Simplexml\Element" />
 </config>