wubinworks · Feb 6, 2025
diff --git a/‎Model/Exception/InvalidArgumentException.php
-14 b/‎Model/Exception/InvalidArgumentException.php
-14
diff --git a/‎Model/RequestInfo.php
+109 b/‎Model/RequestInfo.php
+109
diff --git a/‎Model/Simplexml/Element.php
-54 b/‎Model/Simplexml/Element.php
-54
diff --git a/‎Plugin/Framework/Webapi/ServiceInputProcessor.php
+164 b/‎Plugin/Framework/Webapi/ServiceInputProcessor.php
+164
diff --git a/‎README.md
+67-14 b/‎README.md
+67-14
diff --git a/‎composer.json
+2-3 b/‎composer.json
+2-3
diff --git a/‎etc/di.xml
+21-1 b/‎etc/di.xml
+21-1
@@ -0,0 +1,109 @@
+<?php
+/**
+ * Copyright © Wubinworks. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Wubinworks\CosmicStingPatch\Model;
+
+use Laminas\Http\PhpEnvironment\RemoteAddress as LaminasHttpRemoteAddress;
+use Zend\Http\PhpEnvironment\RemoteAddress as ZendHttpRemoteAddress;
+use Magento\Framework\HTTP\PhpEnvironment\Request;
+
+/**
+ * Request information
+ */
+class RequestInfo
+{
+    public const INFO_KEYS = [
+        'ip',
+        'request_line',
+        'body'
+    ];
+
+    /**
+     * @var Request
+     */
+    protected $request;
+
+    /**
+     * Constructor
+     *
+     * @param Request $request
+     */
+    public function __construct(
+        Request $request
+    ) {
+        $this->request = $request;
+    }
+
+    /**
+     * Get request information
+     *
+     * @param ?string $key
+     * @return string|string[]
+     *
+     * @throws \InvalidArgumentException
+     */
+    public function getRequestInfo(?string $key = null)
+    {
+        $info = [
+            'ip' => (string)$this->getRemoteAddress(), // `false` converted to empty string
+            'request_line' => $this->getRequestLine(),
+            'body' => $this->getRequestBody()
+        ];
+        if ($key === null) {
+            return $info;
+        }
+        if (!array_key_exists($key, $info)) {
+            throw new \InvalidArgumentException(sprintf(
+                'Unknown key %s was used to retrieve RequestInfo.',
+                $key
+            ));
+        }
+        return $info[$key];
+    }
+
+    /**
+     * Get correct remote IP address
+     *
+     * @return string|bool `false` if failed
+     */
+    protected function getRemoteAddress()
+    {
+        if (class_exists(LaminasHttpRemoteAddress::class)) {
+            $httpRemoteAddressClass = LaminasHttpRemoteAddress::class;
+        } else {
+            $httpRemoteAddressClass = ZendHttpRemoteAddress::class;
+        }
+
+        $ip = (new $httpRemoteAddressClass())->getIpAddress();
+        if ($ip) {
+            return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6);
+        }
+
+        return false;
+    }
+
+    /**
+     * Get request line
+     *
+     * @return string
+     */
+    protected function getRequestLine(): string
+    {
+        return (string)$this->request->renderRequestLine();
+    }
+
+    /**
+     * Get request body with limited length
+     *
+     * @param int $maxLength
+     * @return string
+     */
+    protected function getRequestBody(int $maxLength = 1000): string
+    {
+        return mb_substr((string)$this->request->getContent(), 0, $maxLength);
+    }
+}
@@ -0,0 +1,164 @@
+<?php
+/**
+ * Copyright © Wubinworks. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Wubinworks\CosmicStingPatch\Plugin\Framework\Webapi;
+
+use Magento\Framework\Phrase;
+use Magento\Framework\Exception\SerializationException;
+use Wubinworks\CosmicStingPatch\Model\RequestInfo;
+
+/**
+ * Patch for CVE-2024-34102(aka Cosmic Sting)
+ *
+ * @link https://nvd.nist.gov/vuln/detail/CVE-2024-34102
+ * @link https://helpx.adobe.com/security/products/magento/apsb24-40.html
+ * @link https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102
+ */
+class ServiceInputProcessor
+{
+    /**
+     * Including inherited classes
+     *
+     * @var string[]
+     */
+    protected $forbiddenClasses = [
+        \SimpleXMLElement::class,
+        \DOMElement::class
+    ];
+
+    /**
+     * @var RequestInfo
+     */
+    protected $requestInfo;
+
+    /**
+     * @var \Psr\Log\LoggerInterface
+     */
+    protected $logger;
+
+    /**
+     * @var array
+     */
+    protected $loggerConfig;
+
+    /**
+     * Constructor
+     *
+     * @param RequestInfo $requestInfo
+     * @param \Psr\Log\LoggerInterface $logger
+     * @param array $loggerConfig
+     */
+    public function __construct(
+        RequestInfo $requestInfo,
+        \Psr\Log\LoggerInterface $logger,
+        array $loggerConfig = []
+    ) {
+        $this->requestInfo = $requestInfo;
+        $this->logger = $logger;
+        $this->loggerConfig = array_merge($this->_initLoggerConfig(), $loggerConfig);
+    }
+
+    /**
+     * Before plugin to detect forbidden type
+     *
+     * @param \Magento\Framework\Webapi\ServiceInputProcessor $subject
+     * @param mixed $data
+     * @param string $type
+     * @return null
+     *
+     * @throws SerializationException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeConvertValue(
+        \Magento\Framework\Webapi\ServiceInputProcessor $subject,
+        $data,
+        $type
+    ) {
+        $type = (string)$type;
+        if ($this->isForbiddenType($type)) {
+            $message = $this->prepareLogMessage();
+            if ($message) {
+                $this->logger->info($message);
+            }
+            throw new SerializationException(
+                new Phrase('Invalid data type detected in deserialization process.')
+            );
+        }
+
+        return null;
+    }
+
+    /**
+     * Check forbidden type
+     *
+     * @param string $type
+     * @return bool
+     */
+    protected function isForbiddenType(string $type): bool
+    {
+        foreach ($this->forbiddenClasses as $forbiddenClass) {
+            if (is_subclass_of($type, $forbiddenClass)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Prepare log message
+     *
+     * @return string
+     */
+    protected function prepareLogMessage(): string
+    {
+        if (!$this->isLoggerEnabled()) {
+            return '';
+        }
+
+        $message = 'Detected possible Cosmic Sting attack.' . "\n";
+        if ($this->loggerConfig['ip']['enabled']) {
+            $message .= 'IP: ' . $this->requestInfo->getRequestInfo('ip') . "\n";
+        }
+        if ($this->loggerConfig['request_line']['enabled']) {
+            $message .= $this->requestInfo->getRequestInfo('request_line') . "\n";
+        }
+        if ($this->loggerConfig['body']['enabled']) {
+            $message .= $this->requestInfo->getRequestInfo('body') . "\n";
+        }
+
+        return $message;
+    }
+
+    /**
+     * Initialize logger config
+     *
+     * @return array
+     */
+    protected function _initLoggerConfig(): array
+    {
+        $result = [];
+        foreach (RequestInfo::INFO_KEYS as $key) {
+            $result[$key]['enabled'] = false;
+        }
+        return $result;
+    }
+
+    /**
+     * Check logger enabled
+     *
+     * @return bool
+     */
+    protected function isLoggerEnabled(): bool
+    {
+        foreach ($this->loggerConfig as $item) {
+            if ($item['enabled']) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
@@ -1,10 +1,10 @@
-# Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)
+# Magento 2 Patch for CVE-2024-34102(aka Cosmic Sting)
 
-**Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.**
+**An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one.**
 
 **_If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks._**
 
-[![Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)](https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/CosmicStingPatch/cosmic-sting-patch-v1.1.jpg "Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)")](https://www.wubinworks.com/cosmic-sting-patch.html)
+[![Magento 2 CVE-2024-34102(aka Cosmic Sting) Patch](https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/CosmicStingPatch/cosmic-sting-patch-v1.1.jpg "Magento 2 CVE-2024-34102(aka Cosmic Sting) Patch")](https://www.wubinworks.com/cosmic-sting-patch.html)
 
 ## CVE-2024-34102 Affected Magento Versions(starting from 2.3)
 
@@ -15,7 +15,7 @@
 
 ## Background
 
-[CVE-2024-34102](https://cve.org/CVERecord?id=CVE-2024-34102)(aka Cosmic Sting) was identified as XXE vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.  
+[CVE-2024-34102](https://cve.org/CVERecord?id=CVE-2024-34102)(aka Cosmic Sting) was identified as [XXE](https://en.wikipedia.org/wiki/XML_external_entity_attack) vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.  
 Typically, the attacker will extract encryption keys in `env.php`.
 
 In most hacked servers, we observed one or multiple of the followings:
@@ -25,7 +25,7 @@ In most hacked servers, we observed one or multiple of the followings:
  - Backdoors
  - Magento core files modified
  - PHP script that steals sales data
- - Inject Javascript to CMS pages to steal credit cards
+ - Inject malicious Javascript to CMS pages to steal credit cards
  - And maybe more
 
 If you want to know _"How Exactly It Works"_, we have very detailed blog posts that [examine](https://www.wubinworks.com/blog/post/cve-2024-34102-cosmic-sting-attack) and [fix](https://www.wubinworks.com/blog/post/cve-2024-34102-aka-cosmicsting-how-to-defend) the vulnerability.
@@ -38,20 +38,20 @@ The attacker can craft fake Admin Token by using the stolen encryption key. With
 
 ### Chained with CVE-2024-2961
 
-> XXEs are now RCEs
+> XXEs are now RCEs.
 
 As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug([CVE-2024-2961](https://www.cve.org/CVERecord?id=CVE-2024-2961)) discovered in `glibc` to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed.  
 The `glibc` bug exists in `glibc` version <= 2.3.9
 
 ##### Check `glibc` version by running
 
-```
+```bash
 ldd --version | grep -i 'libc'
 ```
 
 ## How to fix?
 
-### Fix CVE-2024-34102
+### Fix the Main Vulnerability CVE-2024-34102
 
 There are 3 Ways Available:
 
@@ -66,7 +66,7 @@ There are 3 Ways Available:
 This step invalidates crafted fake tokens to completely deny WebAPI access from attacker.  
 _If you are unsure whether encryption keys are leaked or not, do this step._
 
-##### More Info
+##### Additional Info
 
 Some Magento 2.4 versions have a bug that you need to apply a [patch](https://github.com/wubinworks/magento2-jwt-auth-patch) before performing key rotation.
 
@@ -76,26 +76,79 @@ Some Magento 2.4 versions have a bug that you need to apply a [patch](https://gi
 
 [New Magento encryption key format](https://www.wubinworks.com/blog/post/new-encryption-key-format-introduced-on-magento-2.4.7)
 
-### Fix `glibc` Bug(Highly Recommended)
+### Fix `glibc` Bug(Strongly Recommended)
 
 Update `glibc` to >= 2.40 to fix CVE-2024-2961.
 
+_Don't forget to reboot server._
+
+## Feature
+
+This extension
+
+ - Fixes CVE-2024-34102(Can PASS the [Official Security Scan Tool](https://account.magento.com/scanner/dashboard/))
+ - Version 1.2.0 new feature: _Who Attacked My Site_  
+For those who are interested in the attacker, check [Logging](#logging) section.
+
+## Logging
+
+##### Enable Logging
+
+By default, logging is disabled for performance consideration. To enable, open a local module and merge the following to `etc/di.xml`.
+
+```xml
+<?xml version="1.0"?>
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Wubinworks\CosmicStingPatch\Plugin\Framework\Webapi\ServiceInputProcessor">
+        <arguments>
+            <argument name="loggerConfig" xsi:type="array">
+                <item name="ip" xsi:type="array">
+                    <item name="enabled" xsi:type="boolean">true</item>
+                </item>
+            </argument>
+        </arguments>
+    </type>
+</config>
+```
+
+##### Log Location
+
+```text
+<magento_root>/var/log/wubinworks_cve-2024-34102.log
+```
+
+##### Incorrect IP Address?
+
+If you got incorrect IP such as `127.0.0.1`, empty string or a CDN's IP, this means your ***web server, middleware, and/or proxy server have incorrect settings***. There is no way to tell the real IP address without fixing those incorrect settings.
+
 ## Requirements
 
-Magento 2.3  
-Magento 2.4
+Magento 2.3 or 2.4
+
+##### PHP Version Compatibility
+
+Version 1.0.0 and 1.1.0 support PHP 8 only  
+Version 1.2.0(re-designed) supports PHP 7 and PHP 8
 
 ## Installation
 
+Latest:  
 **`composer require wubinworks/module-cosmic-sting-patch`**
 
-_This extension requires dependencies that are not included in default Magento installation, so you need to use `composer`._
+Installation Tips:  
+ - _Version 1.0.0 and 1.1.0 must be installed via `composer`_
+ - _Version 1.2.0 can be installed via `composer` or directly to `app/code`_
 
 ## ♥
 
 If you like this extension or this extension helped you, please ★star☆ this repository.
 
 You may also like:  
-[Magento 2 patch for CVE-2022-24086, CVE-2022-24087](https://github.com/wubinworks/magento2-template-filter-patch)  
+[Magento 2 Patch for CVE-2022-24086, CVE-2022-24087](https://github.com/wubinworks/magento2-template-filter-patch)  
+[Magento 2 Enhanced XML Security](https://github.com/wubinworks/magento2-enhanced-xml-security)  
+[Magento 2 Encryption Key Manager CLI](https://github.com/wubinworks/magento2-encryption-key-manager-cli)  
+[Magento 2 JWT Authentication Patch](https://github.com/wubinworks/magento2-jwt-auth-patch)  
+
 [Magento 2 Disable Customer Change Email Extension](https://github.com/wubinworks/disable-change-email)  
 [Magento 2 Disable Customer Extension](https://github.com/wubinworks/magento2-disable-customer)
@@ -1,6 +1,6 @@
 {
     "name": "wubinworks/module-cosmic-sting-patch",
-    "description": "Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.",
+    "description": "An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one.",
     "keywords": [
         "cve-2024-34102",
         "cosmic sting",
@@ -20,11 +20,10 @@
     },
     "require": {
         "php": ">=7.1",
-        "wubinworks/module-xml-security": "^1.0.1",
         "magento/magento2-base": "~2.3.0 || ~2.4.0"
     },
     "type": "magento2-module",
-    "version": "1.1.0",
+    "version": "1.2.0",
     "license": "OSL-3.0",
     "authors": [
         {
 
@@ -7,5 +7,25 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
-    <preference for="Magento\Framework\Simplexml\Element" type="Wubinworks\CosmicStingPatch\Model\Simplexml\Element" />
+    <type name="Magento\Framework\Webapi\ServiceInputProcessor">
+        <plugin name="wubinworks_cosmicstingpatch_plugin_framework_webapi_serviceinputprocessor" type="Wubinworks\CosmicStingPatch\Plugin\Framework\Webapi\ServiceInputProcessor" />
+    </type>
+    <virtualType name="Wubinworks\CosmicStingPatch\Model\Logger\Handler\Debug" type="Magento\Framework\Logger\Handler\Base">
+        <arguments>
+            <argument name="fileName" xsi:type="string">var/log/wubinworks_cve-2024-34102.log</argument>
+         </arguments>
+    </virtualType>
+    <virtualType name="Wubinworks\CosmicStingPatch\Model\Logger\Debug" type="Magento\Framework\Logger\Monolog">
+        <arguments>
+            <argument name="name" xsi:type="string">CVE-2024-34102</argument>
+            <argument name="handlers" xsi:type="array">
+                <item name="system" xsi:type="object">Wubinworks\CosmicStingPatch\Model\Logger\Handler\Debug</item>
+            </argument>
+        </arguments>
+    </virtualType>
+    <type name="Wubinworks\CosmicStingPatch\Plugin\Framework\Webapi\ServiceInputProcessor">
+        <arguments>
+            <argument name="logger" xsi:type="object">Wubinworks\CosmicStingPatch\Model\Logger\Debug</argument>
+        </arguments>
+    </type>
 </config>