CVE-2021-32758 | Magentary

CVE-2021-32758 is a vulnerability in Magento 1.x and OpenMage versions prior to v19.4.15. Layout XML enabled admin users were able to execute arbitrary commands via block methods.
The vulnerability was fixed in OpenMage v19.4.15 with the following patch:


diff --git a/app/code/core/Mage/Core/Helper/Security.php b/app/code/core/Mage/Core/Helper/Security.php
index 00c4c53964..1eb2f08fb5 100644
--- a/app/code/core/Mage/Core/Helper/Security.php
+++ b/app/code/core/Mage/Core/Helper/Security.php
@@ -21,7 +21,10 @@ class Mage_Core_Helper_Security
     public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
     {
         foreach ($this->invalidBlockActions as $action) {
-            if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) {
+            $calledMethod = strtolower($method);
+            if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod)
+                || ($block instanceof $action['block']
+                    && strtolower($action['block'] . '::' . $action['method']) === $calledMethod)) {
                 Mage::throwException(
                     sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
                 );

4.00 / 5 5
1 / 5
2 / 5
3 / 5
4 / 5
5 / 5

3 votes, 4.00 avg. rating (77% score)