We got you covered, as long as you have your application up-to-date.
Sharing security releases is not a thing that any technology likes to do, nevertheless, every software has its pitfalls and vulnerabilities. As we always try to bring the best we can to you, we do treat every security issue super seriously. This time, we are announcing several fixes to Sylius 1.9 and 1.10 and SyliusGridBundle.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
This issue is present in all Sylius versions before 1.9.10, 1.10.11 and 1.11.2. The main attack vector for the Sylius Open Source version requires access to the admin panel, as there is no possibility to upload pictures. So, if you hadn’t extended Sylius to allow users to upload files, you’d be fine.
It is important to acknowledge that all Sylius Plus installations may be affected by this to a greater extent, as by default there is a possibility to send images as a part of Return Request. Nonetheless, it still requires an upload of SVG files that will be opened in a new tab for the script to be executed.
There is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be opened in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages.
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
If there is a need to upload an SVG image type, on-upload sanitization has to be added. The way to achieve this is to require a library that will do the trick:
https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-bash-sh
The second step is all about performing a file content sanitization before writing it to the filesystem. It can be done by overwriting the service:
https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-imageuploader-php
After that, register service in the container:https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-services-yaml
The original security advisory has been published on GitHub at Sylius/Sylius repository.
Every website without custom `X-Frame-Options` defined in their application on the code level (in Symfony itself) or infrastructure level (e.g Nginx or Apache) is affected by it.
It is possible for a page controlled by the attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker’s page overlays the target application’s interface with a different interface provided by the attacker.
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
Every response from the app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.
https://gist.github.com/lchrusciel/16d86303a912828172e1e0fe6ba4eb0e#file-xframeoptionssubscriber-php
And register it in the container:
https://gist.github.com/lchrusciel/16d86303a912828172e1e0fe6ba4eb0e#file-services-yaml
The original security advisory has been published on GitHub at Sylius/Sylius repository.
Every store that uses the default Sylius admin panel is affected by this vulnerability (unless it is protected by custom caching rules for authorized users).
Any other user can view the data if the browser tab remains open after logging out. Once someone logs out and leaves the browser open, the potential attacker may use the back button to see the content exposed on given screens. No action may be performed though, and any website refresh will block further reads. It may, however, lead to a data leak, like for example customer details, payment gateway configuration, etc.- but only if these were pages checked by the administrator.
This vulnerability requires full access to the computer to take advantage of it.
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2 and above.
The application must strictly redirect to the login page even when the browser back button is pressed. Another possibility is to set more strict cache policies for restricted content (like no-store). It can be achieved with the following class:
https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-cachecontrolsubscriber-php
After that register service in the container:
https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-services-yaml
The code above requires changes in “ShopUriBasedSectionResolver” in order to work. To backport mentioned logic, you need to replace the “Sylius\Bundle\ShopBundle\SectionResolver\ShopUriBasedSectionResolver” class with:
You also need to define a new subsection for the Customer Account that is used in the above services:
The original security advisory has been published on GitHub at Sylius/Sylius repository.
Your store is affected by this vulnerability, only if you are using the newest version of our API (api/v2 prefix). This API is disabled by default in every instance of Sylius and has to be opted-in.
The reset password token was not set to null after the password was changed. This is causing behaviour in which the same token can be used several times, so it can result in a leak of the existing token and an unauthorised password change.
The issue is fixed in versions: 1.10.11, 1.11.2 and above
You have to overwrite your “Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler” class using this code:
https://gist.github.com/lchrusciel/777b59b2af6a4e39ccb23ed7c6f49b59#file-resetpasswordhandler-php
And register it in a container:
https://gist.github.com/lchrusciel/777b59b2af6a4e39ccb23ed7c6f49b59#file-services-yaml
The original security advisory has been published on GitHub at Sylius/SyliusGridBundle repository.
Every store with SyliusGridBundle below 1.10.1 is affected by this vulnerability.
Values added at the end of query sorting were passed directly to the DB. We don’t know if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway.
The issue is fixed in version 1.10.1 and in 1.11-rc.1
You have to overwrite your “Sylius\Component\Grid\Sorting\Sorter.php” class:
https://gist.github.com/lchrusciel/5c2f134c28df6f18feef47a5343f2a73#file-sorter-php
and register it in your container:
https://gist.github.com/lchrusciel/5c2f134c28df6f18feef47a5343f2a73#file-services-yaml