NEW VERSION Sylius 2 is officially here. Check the release!
https://sylius.com/blog/security-releases-announcement-august-2020/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
https://sylius.com/pl/
pl
2 min. read
Categories: News Technical
Security releases announcement – August 2020

The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities found in Sylius/SyliusResourceBundle.

Is my store affected by this vulnerability?

Generally speaking, if you haven’t updated your dependencies after 18.08.2020, your store is vulnerable. The affected component is sylius/resource-bundle which is versioned independently from sylius/sylius. If you use Sylius v1.7, you most likely use ResourceBundle v1.6. You can check which specific version of sylius/resource-bundle you have installed by running composer show sylius/resource-bundle.Another way to check whether your application contains known vulnerabilities is to use Symfony binary (https://symfony.com/download). Run symfony check:security to scan your application.

Read more here (https://symfony.com/doc/current/setup.html#checking-security-vulnerabilities).

CVE-2020-15143: Remote Code Execution in ParametersParser while using request parameters inside expression language

The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven’t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

foo:
  path: /foo/{id}
  defaults:
    _sylius:
      repository:
        method: findSome
        arguments:
          entity: "expr:service('repository').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in ParametersParser::parseRequestValueExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

CVE-2020-15146: Remote Code Execution in OptionsParser while using request parameters inside expression language

The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven’t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

sylius_grid:
  grids:
    foo:
      fields:
        bar:
          options:
            baz: "expr:service('sylius.repository.product').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit
/route id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

Tags: alert Sylius sylius ecommerce
Share:
More from our blog
Technical 2 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
2 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud 2 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in