Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21395: openmage/magento-lts - Packagist

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

CVE
#sql#csrf#web#mac#google#apache#redis#js#git#php#nginx#dell

README

Magento - Long Term Support

This repository is the home of an unofficial community-driven project. It’s goal is to be a dependable alternative to the Magento CE official releases which integrates improvements directly from the community while maintaining a high level of backwards compatibility to the official releases.

Pull requests with bug fixes and security patches from the community are encouraged and welcome!

Table of contents

  • Requirements
    • Optional
  • Installation
    • Manual Install
    • Composer
    • Git
  • Secure your installation
    • Apache .htaccess
    • Nginx
  • Changes
    • Between Magento 1.9.4.5 and OpenMage 19.x
    • Between OpenMage 19.4.18 / 20.0.16 and 19.4.19 / 20.0.17
    • Since OpenMage 19.5.0 / 20.1.0
    • New Config Options
    • New Events
    • Changes to SOAP/WSDL
  • Development Environment with ddev
  • Development with PHP 8.1
  • PhpStorm Factory Helper
  • Versioning
  • Public Communication
  • Maintainers
  • License
  • Contributors

Requirements

  • PHP 7.3+ (PHP 8.0 is supported, PHP 8.1 is work in progress)

  • MySQL 5.6+ (8.0+ recommended) or MariaDB

  • PHP extension intl since 1.9.4.19 & 20.0.17

  • Command patch 2.7+ (or gpatch on MacOS/HomeBrew) since 1.9.5.0 & 20.1.0

Please be aware that although OpenMage is compatible that one or more extensions may not be.

Optional

  • Redis 5+ (6.x recommended, latest verified compatible 6.0.7 with 20.x)

Installation****Manual Install

Download the latest release archive and extract it over your existing install. Important: you must download the ZIP file from a tagged version on the releases page, otherwise there will be missing dependencies.

Composer

Step 1: Create a new composer project:

composer init

Step 2: Configure composer. The below options are required. You can see all options here.

Allow composer to apply patches to dependencies of magento-lts

composer config --json extra.enable-patching true

Configure Magento core composer installer to use magento-lts as the Magento source package

composer config extra.magento-core-package-type magento-source

Configure the root directory that magento-lts will be installed to, such as "pub", "htdocs", or “www”

composer config extra.magento-root-dir pub

Step 3: Require magento-core-composer-installer:

PHP 7

composer require “aydin-hassan/magento-core-composer-installer":"~2.0.0”

PHP 8

composer require “aydin-hassan/magento-core-composer-installer":"^2.1.0”

Note: be sure to select y if composer asks you to trust aydin-hassan/magento-core-composer-installer.

Step 4: Require magento-lts:

OpenMage v19

composer require “openmage/magento-lts":"^19.4.0”

OpenMage v20

composer require “openmage/magento-lts":"^20.0.0”

Note: be sure to select y if composer asks you to trust magento-hackathon/magento-composer-installer or cweagans/composer-patches.

To install the latest development version (may be unstable):

OpenMage v19

composer require “openmage/magento-lts":"1.9.4.x-dev”

OpenMage v20

composer require “openmage/magento-lts":"20.0.x-dev”

Git

If you want to contribute to the project:

git init git remote add origin https://github.com/<YOUR GIT USERNAME>/magento-lts git pull origin main git remote add upstream https://github.com/OpenMage/magento-lts git pull upstream 1.9.4.x git add -A && git commit

More Information

Secure your installation

Don’t use common paths like /admin for OpenMage Backend URL. Don’t use the path in robots.txt and keep it secret. You can change it from Backend (System / Configuration / Admin / Admin Base Url) or by editing app/etc/local.xml:

<config> <admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin> </config>

Don’t use common file names like api.php for OpenMage API URLs to prevent attacks. Don’t use the new file name in robots.txt and keep it secret with your partners. After renaming the file you must update the webserver configuration as follows:

Apache .htaccess

RewriteRule ^api/rest api.php?type=rest [QSA,L]

Nginx

rewrite ^/api/(\w+).*$ /api.php?type=$1 last;`

Changes

Most important changes will be listed here, all other changes since 19.4.0 can be found in release notes.

Between Magento 1.9.4.5 and OpenMage 19.x

  • bug fixes and PHP 7.x, 8.0 and 8.1 compatibility
  • added config cache for system.xml (#1916)
  • search for “NULL” in backend grids (#1203)
  • removed lib/flex containing unused ActionScript “file uploader” files (#2271)
  • Mage_Catalog_Model_Resource_Abstract::getAttributeRawValue() now returns ‘0’ instead of false if the value stored in the database is 0 (#572)
  • removed modules:
    • Mage_Backup (#2811)
    • Mage_Compiler
    • Mage_GoogleBase
    • Mage_PageCache (#2258)
    • Mage_Xmlconnect
    • Phoenix_Moneybookers

If you rely on those modules you can reinstall them with composer:

  • Mage_Backup: composer require openmage/module-mage-backup
  • Mage_PageCache: composer require openmage/module-mage-pagecache

Between OpenMage 19.4.18 / 20.0.16 and 19.4.19 / 20.0.17

  • PHP extension intl is required

Between OpenMage 19.x and 20.x

Do not use 20.x.x if you need IE support.

  • removed IE conditional comments, IE styles, IE scripts and IE eot files (#1073)
  • removed frontend default themes (default, modern, iphone, german, french, blank, blue) (#1600)
  • fixed incorrect datetime in customer block ($useTimezone parameter) (#1525)
  • added redis as a valid option for global/session_save (#1513)
  • reduce needless saves by avoiding setting _hasDataChanges flag (#2066)
  • removed support for global/sales/old_fields_map defined in XML (#921)
  • enabled website level config cache (#2355)
  • make overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api (#1257)

For full list of changes, you can compare tags.

Since OpenMage 19.5.0 / 20.1.0

Most of the 3rd party libraries/modules that were bundled in our repository were removed and migrated to composer dependencies. This allows for better maintenance and upgradability.

Specifically:

  • phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis, Pelago_Emogrifier (#2411)
  • Zend Framework 1 (#2827)

If your project uses OpenMage through composer then all dependencies will be managed automatically.
If you just extracted the release zip/tarball in your project’s main folder then be sure to:

  • remove the old copy of aforementioned libraries from your project, you can do that with this command:

    rm -rf app/code/core/Zend lib/Cm lib/Credis lib/mcryptcompat lib/Pelago lib/phpseclib lib/Zend

  • download the new release zip file that is named openmage-VERSIONNUMBER.zip, this one is built to contain the vendor folder generated by composer, with all the dependencies in it

  • extract the zip file in your project’s repository as you always did

We also decided to remove our Zend_DB patches (that were stored in app/code/core/Zend) because they were very old and not compatible with the new implementations made by ZF1-Future, which is much more advanced and feature rich. This may generate a problem with `Zend_Db_Select’ statements that do not use ‘Zend_Db_Expr’ to quote expressions. If you see SQL errors after upgrading please remember to check for this specific issue in your code.

New Config Options

  • admin/design/use_legacy_theme
  • admin/global_search/enable
  • admin/emails/admin_notification_email_template
  • catalog/product_image/progressive_threshold
  • catalog/search/search_separator
  • dev/log/max_level
  • newsletter/security/enable_form_key
  • sitemap/category/lastmod
  • sitemap/page/lastmod
  • sitemap/product/lastmod

New Events

  • adminhtml_block_widget_form_init_form_values_after
  • adminhtml_block_widget_tabs_html_before
  • adminhtml_sales_order_create_save_before
  • checkout_cart_product_add_before
  • sitemap_cms_pages_generating_before
  • sitemap_urlset_generating_before

Full list of events

Changes to SOAP/WSDL

Since 19.4.17/20.0.15 we changed the targetNamespace of all the WSDL files (used in the API modules), from Magento to OpenMage. If your custom modules extends OpenMage’s APIs with a custom WSDL file and there are some hardcoded targetNamespace="urn:Magento" strings, your APIs may stop working.

Please replace all occurrences of

targetNamespace="urn:Magento"

with

targetNamespace="urn:OpenMage"

or alternatively

targetNamespace="urn:{{var wsdl.name}}"

to avoid any problem.

To find which files need the modification you can run this command from the root directory of your project.

grep -rn ‘urn:Magento’ --include \*.xml

Development Environment with DDEV

  • Install ddev

  • Clone the repository as described in installation (Git)

  • Create a ddev config, defaults should be good for you

    ddev config

  • Open .ddev/config.yaml and change the php version to your needs

  • Download and start the containers

    ddev start

  • Open your site in browser

    ddev launch

Development with PHP 8.1

Deprecation errors are supressed by default.

If you want to work on PHP 8.1 support, set environment variable DEV_PHP_STRICT to 1, to show all errors.

PhpStorm Factory Helper

This repo includes class maps for the core Magento files in .phpstorm.meta.php. To add class maps for installed extensions, you have to install N98-magerun and run command:

n98-magerun.phar dev:ide:phpstorm:meta

You can add additional meta files in this directory to cover your own project files. See PhpStorm advanced metadata for more information.

Versioning

Though Magento does not follow Semantic Versioning we aim to provide a workable system for dependency definition.

Public Communication

  • Discord (maintained by Flyingmana)

Maintainers

  • Daniel Fahlke
  • David Robinson
  • Fabrizio Balliano
  • Lee Saferite
  • Mohamed Elidrissi
  • Ng Kiat Siong
  • Sven Reichel
  • Tymoteusz Motylewski

License

  • OSL v3.0
  • AFL v3.0

Contributors ✨

Thanks goes to these wonderful people (emoji key):

sv3n

Lee Saferite

Colin Mollenhour

David Robinson

Tymoteusz Motylewski

Daniel Fahlke

SNH_NL

Marc Romano

Fabian Blechschmidt

Luboš Hubáček

Erik Dannenberg

Jeroen Boersma

Leandro F. L.

Kevin Krieger

Ng Kiat Siong

bob2021

Bastien Lamamy

Dmitry Furs

Robert Coleman

Milan Davídek

Matt Davenport

elfling

henrykb

Tony

Mark Lewis

Eric Sean Turner

Eric Seastrand

Tobias Schifftner

Simon Sprankel

Tom Lankhorst

shirtsofholland

sebastianwagner

Maxime Huran

Pepijn

manuperezgo

luigifab

Loek van Gool

kpitn

kalenjordan

IOWEB TECHNOLOGIES

Florent

dvdsndr

Vincent MARMIESSE

Lucas van Staden

zamoroka

wpdevteam

Wouter Samaey

Vova Yatsyuk

Trevor Hartman

Somewhere

Fabian Schmengler />

Roman Hutterer

Sergei Filippov

Sam Steele

Ricardo Velhote

Roy Duineveld

Roberto Sarmiento Pérez

Pierre Martin

Rafał Dołgopoł

Rafael Patro

Andreas Pointner

Paul Rodriguez

ollb

Nicholas Graham

Makis Palasis

Miguel Balparda

Mark van der Sanden

Micky Socaci

Marvin Sengera

Kostadin A.

Julien Loizelet

Jonas Hünig

Stefan Jaroschek

Jacques Bodin-Hullin

Wilhelm Ellmann

Edwin.

drago-aca

Daniel Niedergesäß

J Davis

Damien Biasotto

Daniel Corn

Paweł Cieślik

André Herrn

Pablo Benmaman

aterjung

altdovydas

Alisson Júnior

Alex Kirsch

Branden

Pof Magicfingers

Michael Thessel

Jonathan Laliberte

Ivan Chepurnyi

Igor

Elias Kotlyar

Hejty1

Gaelle

Frédéric MARTINEZ

Tobias Faust

AndresInSpace

Francesco Boes

Daniel Bachmann

Damian Luszczymak

Fabrizio Balliano

Jouriy

Digital Pianism

Justin Beaty

ADDISON

Aria Stewart

Dean Williams

Henry Hirsch

kdckrs

Martin René Sørensen

Frank Rochlitzer

AlterWeb

Caprico

David Windell

Dragan Atanasov

Eugene Lamskoy

Ferdinand

Himanshu

Jakub Idziak

Joseph Maxwell

Joshua Dickerson

Kevin Bortnick

Mehdi Chaouch

Mohamed ELIDRISSI

Justin van Elst

Nicholas Graham

Patrick Schnell

Patrick Cronin

Petr Švamberg

Rafael Corrêa Gomes

Ralf Siepker

Sunel Tr

Tom Klingenberg

Toon

WEXO team

Wilfried Wolf

akrzemianowski

andthink

eetzen

lemundo-team

mdlonline

Benjamin MARROT

Tino Mewes

Carsten Brandt

Enéias Ramos de Melo

Scott Moore

Roger Feese

Alexander Gelzer

This project follows the all-contributors specification. Contributions of any kind welcome!

Related news

CVE-2021-41143: Release v19.4.22 · OpenMage/magento-lts

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.

GHSA-r3c9-9j5q-pwv4: magento-lts Reset Password not protected against well-timed CSRF

### Impact Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password. ### Patches Versions 19.4.22 and 20.0.19 contain patches. ### Workarounds None ### References See https://hackerone.com/reports/1086752

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907