Glossary ยป CVE-2020-26295
C

CVE-2020-26295

CVE-2020-26295 aka CMS Editor code execution vulnerability is a critical vulnerability in Magento 1.x versions and OpenMage prior to v19.4.10 that allows an administrator with permission to import/export data and to edit cms pages to inject an executable file on the server via layout xml.

All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected. The vulnerability is fixed in OpenMage v19.4.10 and patch was released on January 19, 2021.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).


Patch for CVE-2020-26295

The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35.patch] 
diff --git a/app/code/core/Mage/Core/Block/Abstract.php b/app/code/core/Mage/Core/Block/Abstract.php
index edaedb2444..606497a9b8 100644
--- a/app/code/core/Mage/Core/Block/Abstract.php
+++ b/app/code/core/Mage/Core/Block/Abstract.php
@@ -536,6 +536,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
                 $params = $args;
             }
 
+            Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
             if ($result == call_user_func_array(array(&$child, $callback), $params)) {
                 $this->unsetChild($alias);
             }
diff --git a/app/code/core/Mage/Core/Helper/Security.php b/app/code/core/Mage/Core/Helper/Security.php
new file mode 100644
index 0000000000..00c4c53964
--- /dev/null
+++ b/app/code/core/Mage/Core/Helper/Security.php
@@ -0,0 +1,31 @@
+<?php
+
+class Mage_Core_Helper_Security
+{
+
+    private $invalidBlockActions
+        = [
+            // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
+            // if the class does not exists it breaks.
+            ['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'],
+            ['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'],
+        ];
+
+    /**
+     * @param Mage_Core_Block_Abstract $block
+     * @param string                   $method
+     * @param string[]                 $args
+     *
+     * @throws Mage_Core_Exception
+     */
+    public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
+    {
+        foreach ($this->invalidBlockActions as $action) {
+            if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) {
+                Mage::throwException(
+                    sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
+                );
+            }
+        }
+    }
+}
diff --git a/app/code/core/Mage/Core/Model/Layout.php b/app/code/core/Mage/Core/Model/Layout.php
index 458b1514f0..4cf84b04d7 100644
--- a/app/code/core/Mage/Core/Model/Layout.php
+++ b/app/code/core/Mage/Core/Model/Layout.php
@@ -345,6 +345,8 @@ protected function _generateAction($node, $parent)
                 }
             }
 
+            Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($block, $method, $args);
+
             $this->_translateLayoutNode($node, $args);
             call_user_func_array(array($block, $method), array_values($args));
         }

Related Posts

4 votes, 4.00 avg. rating (78% score)