Download the PHP package wubinworks/module-cosmic-sting-patch without Composer

On this page you can find all versions of the php package wubinworks/module-cosmic-sting-patch. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package module-cosmic-sting-patch

Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)

Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.

If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks.

Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)

CVE-2024-34102 Affected Magento Versions(starting from 2.3)

2.3.0 ~ 2.4.4-p8
2.4.5 ~ 2.4.5-p7
2.4.6 ~ 2.4.6-p5
2.4.7

Background

CVE-2024-34102(aka Cosmic Sting) was identified as XXE vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.
Typically, the attacker will extract encryption keys in env.php.

In most hacked servers, we observed one or multiple of the followings:

If you want to know "How Exactly It Works", we have very detailed blog posts that examine and fix the vulnerability.

Secondary Disasters(Very Important)

Fake Admin Token

The attacker can craft fake Admin Token by using the stolen encryption key. With the fake Admin Token, the attacker is able to perform Admin level actions such as creating fake orders, modifying CMS Block to inject malicious Javascript and more.

Chained with CVE-2024-2961

XXEs are now RCEs

As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug(CVE-2024-2961) discovered in glibc to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed.
The glibc bug exists in glibc version <= 2.3.9

Check glibc version by running

How to fix?

Fix CVE-2024-34102

There are 3 Ways Available:

Note you still need to fix "Secondary Disasters" after completing the above step.

Rotate Encryption Key

This step invalidates crafted fake tokens to completely deny WebAPI access from attacker.
If you are unsure whether encryption keys are leaked or not, do this step.

More Info

Some Magento 2.4 versions have a bug that you need to apply a patch before performing key rotation.

How to rotate encryption key?

Alternative Encryption Key Rotation Tool

New Magento encryption key format

Fix glibc Bug(Highly Recommended)

Update glibc to >= 2.40 to fix CVE-2024-2961.

Requirements

Magento 2.3
Magento 2.4

Installation

composer require wubinworks/module-cosmic-sting-patch

This extension requires dependencies that are not included in default Magento installation, so you need to use composer.

If you like this extension or this extension helped you, please ★star☆ this repository.

You may also like:
Magento 2 patch for CVE-2022-24086, CVE-2022-24087
Magento 2 Disable Customer Change Email Extension
Magento 2 Disable Customer Extension

All versions of module-cosmic-sting-patch with dependencies

PHP Build Version
Package Version
Requires php Version >=7.1
wubinworks/module-xml-security Version ^1.0.1
magento/magento2-base Version ~2.3.0 || ~2.4.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package wubinworks/module-cosmic-sting-patch contains the following files

Loading the files please wait ....