4 min. read
Categories: Ecosystem Technical
🚨Security releases blog post: March 2022

We got you covered, as long as you have your application up-to-date.

Nothing’s perfect, but it’s not the reason not to aim for that

Sharing security releases is not a thing that any technology likes to do, nevertheless, every software has its pitfalls and vulnerabilities. As we always try to bring the best we can to you, we do treat every security issue super seriously. This time, we are announcing several fixes to Sylius 1.9 and 1.10 and SyliusGridBundle. 

Sylius 1.9 and above

CVE-2022-24749: Improper sanitize of SVG files during content upload (‘Cross-site Scripting’)

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.9.10, 1.10.11 and 1.11.2. The main attack vector for the Sylius Open Source version requires access to the admin panel, as there is no possibility to upload pictures.  So, if you hadn’t extended Sylius to allow users to upload files, you’d be fine.

It is important to acknowledge that all Sylius Plus installations may be affected by this to a greater extent, as by default there is a possibility to send images as a part of Return Request. Nonetheless, it still requires an upload of SVG files that will be opened in a new tab for the script to be executed.

Impact

There is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be opened in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages.

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

Workarounds

If there is a need to upload an SVG image type, on-upload sanitization has to be added. The way to achieve this is to require a library that will do the trick:

https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-bash-sh

The second step is all about performing a file content sanitization before writing it to the filesystem. It can be done by overwriting the service:

https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-imageuploader-php

After that, register service in the container:https://gist.github.com/lchrusciel/5f2f62a36a0f845a11a8420e7c5c0fe1#file-services-yaml

CVE-2022-24733:Missing HTTP headers to avoid login forms clickjacking

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

Every website without custom `X-Frame-Options` defined in their application on the code level (in Symfony itself) or infrastructure level (e.g Nginx or Apache) is affected by it.

Impact

It is possible for a page controlled by the attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker’s page overlays the target application’s interface with a different interface provided by the attacker.

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

Workarounds

Every response from the app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.

https://gist.github.com/lchrusciel/16d86303a912828172e1e0fe6ba4eb0e#file-xframeoptionssubscriber-php

And register it in the container:

https://gist.github.com/lchrusciel/16d86303a912828172e1e0fe6ba4eb0e#file-services-yaml

CVE-2022-24742: Exposure of sensitive information by using the back button after logging out

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

Every store that uses the default Sylius admin panel is affected by this vulnerability (unless it is protected by custom caching rules for authorized users).

Impact

Any other user can view the data if the browser tab remains open after logging out. Once someone logs out and leaves the browser open, the potential attacker may use the back button to see the content exposed on given screens. No action may be performed though, and any website refresh will block further reads. It may, however, lead to a data leak, like for example customer details, payment gateway configuration, etc.- but only if these were pages checked by the administrator. 

This vulnerability requires full access to the computer to take advantage of it.

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2 and above.

Workarounds

The application must strictly redirect to the login page even when the browser back button is pressed. Another possibility is to set more strict cache policies for restricted content (like no-store). It can be achieved with the following class:

https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-cachecontrolsubscriber-php

After that register service in the container:

https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-services-yaml

The code above requires changes in “ShopUriBasedSectionResolver” in order to work. To backport mentioned logic, you need to replace the “Sylius\Bundle\ShopBundle\SectionResolver\ShopUriBasedSectionResolver” class with:

https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-shopuribasedsectionresolver-php

You also need to define a new subsection for the Customer Account that is used in the above services:

https://gist.github.com/lchrusciel/a4348756fa855f20c26a98e9859afc09#file-shopcustomeraccountsubsection-php

Sylius 1.10 and above

CVE-2022-24743:Reset password token not set to null after reset password

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

Your store is affected by this vulnerability, only if you are using the newest version of our API (api/v2 prefix). This API is disabled by default in every instance of Sylius and has to be opted-in.

Impact

The reset password token was not set to null after the password was changed. This is causing behaviour in which the same token can be used several times, so it can result in a leak of the existing token and an unauthorised password change.

Patches

The issue is fixed in versions: 1.10.11, 1.11.2 and above

Workarounds

You have to overwrite your “Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler” class using this code:

https://gist.github.com/lchrusciel/777b59b2af6a4e39ccb23ed7c6f49b59#file-resetpasswordhandler-php

And register it in a container:

https://gist.github.com/lchrusciel/777b59b2af6a4e39ccb23ed7c6f49b59#file-services-yaml

SyliusGridBundle 1.10 and above

CVE-2022-24752:DQL injection through sorting parameters blocked

The original security advisory has been published on GitHub at Sylius/SyliusGridBundle repository.

Is my store affected by this vulnerability?

Every store with SyliusGridBundle below 1.10.1 is affected by this vulnerability.

Impact

Values added at the end of query sorting were passed directly to the DB. We don’t know if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway.

Patches

The issue is fixed in version 1.10.1 and in 1.11-rc.1

Workarounds

You have to overwrite your “Sylius\Component\Grid\Sorting\Sorter.php” class:

https://gist.github.com/lchrusciel/5c2f134c28df6f18feef47a5343f2a73#file-sorter-php

and register it in your container:

https://gist.github.com/lchrusciel/5c2f134c28df6f18feef47a5343f2a73#file-services-yaml

Share:
Łukasz Chruściel
Łukasz is currently solely focused on development of Sylius products. His main area of interests are solving development problems and increasing knowledge of less experienced fellow software engineers. He is cooperating with our Product Owner in terms of technical features. You may spot him on Github, answering your issues and reviewing your PR’s.
More from our blog
Cloud 4 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Technical 4 min read 11.06.2024
Abstract 1.12 released in Q4 2022 1.13 on Apr 23rd, 2024 (a year later than we anticipated while releasing 1.12) 3859 commits 23 contributors A stabilized Sylius API powered by API Platform It’s been a long and bumpy road. Having it behind our backs was a highway that led Sylius… Read More
Business Ecosystem News 4 min read 06.06.2024
Welcome to the May summary! As an open-source eCommerce framework, Sylius continues to evolve with significant contributions from our vibrant community and valuable product updates. Apart from describing the technical changes, we will also quickly summarize the Sylius Technical Fundamentals & Sylius Polish Community Meetup and eCommerce Day Kaunas, as… Read More
Comments