This kind of de-serialization attack was disabled in OpenMage since 19.4.9 version:
[https://github.com/OpenMage/magento-lts/pull/1251/commits/8c4d7b10e5e83917e77be057d683c3601aad20f9]
Magento 1.x can be patched accordingly.
For Magento 2.x there is official patch released by Adobe on February 13, 2022:
diff --git a/app/code/Magento/Email/Model/Template/Filter.php b/app/code/Magento/Email/Model/Template/Filter.php
index 1a7c3683820a..586cb485ee1f 100644
--- a/app/code/Magento/Email/Model/Template/Filter.php
+++ b/app/code/Magento/Email/Model/Template/Filter.php
@@ -618,6 +618,12 @@ public function transDirective($construction)
}
$text = __($text, $params)->render();
+
+ $pattern = '/{{.*?}}/';
+ do {
+ $text = preg_replace($pattern, '', (string)$text);
+ } while (preg_match($pattern, $text));
+
return $this->applyModifiers($text, $modifiers);
}
diff --git a/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php b/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php
index f2fe398c3848..78034d70ba51 100644
--- a/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php
+++ b/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php
@@ -55,6 +55,11 @@ public function process(array $construction, Template $filter, array $templateVa
$result = $this->filterApplier->applyFromRawParam($construction['filters'], $result);
}
+ $pattern = '/{{.*?}}/';
+ do {
+ $result = preg_replace($pattern, '', (string)$result);
+ } while (preg_match($pattern, $result));
+
return $result;
}