CVE-2024-34102(a.k.a CosmicSting) How to Defend

How to fix CVE-2024-34102? Upgrade Magento to greater than 2.4.7-p1 is the best solution, but sometimes it could not be done in a few days and your store may be hacked before applying the official patch.

And the most concerns from our consultees is the cost for upgrading to newest version.

In the previous blog we described how to attack by exploit CVE-2024-34102. In this blog we provide another way to fix this security hole.

As you can see, \Magento\Framework\Simplexml\Element's constructor inherits PHP builtin SimpleXMLElement which is unsafe due to it allows dangerous parameters.

The implementation of our fix is extremely simple. Just "preference" the \Magento\Framework\Simplexml\Element class and override the constructor:

<?php
# Link: https://github.com/wubinworks/magento2-cosmic-sting-patch/blob/8a95fb819a0109ed434d14b29c4ad0d552d5501c/Framework/Simplexml/Element.php
public function __construct(
    string $data,
    int $options = 0,
    bool $dataIsURL = false,
    string $namespaceOrPrefix = "",
    bool $isPrefix = false
) {
    if (XmlSecurity::hasEntity($data)) {
        throw new \Laminas\Xml\Exception\InvalidArgumentException(
            'Input XML string should not contain ENTITY.'
        );
    }
    parent::__construct(
        $data,
        $options,
        false,
        $namespaceOrPrefix,
        $isPrefix
    );
}

Check if the input string $data is evil.

Note the third parameter $dataIsURL is also dangerous, we force it to false.

To install this module:
composer require wubinworks/module-cosmic-sting-patch

Check latest information on Github.