POC详情: 377ed36b6330176e1e530aff1437df9eff60177f

来源
关联漏洞
标题: Adobe Commerce 代码问题漏洞 (CVE-2024-34102)
描述:Adobe Commerce是美国奥多比(Adobe)公司的一种面向商家和品牌的全球领先的数字商务解决方案。 Adobe Commerce 存在代码问题漏洞,该漏洞源于受到不正确的 XML 外部实体引用 ( XXE ) 限制漏洞的影响,该漏洞可能导致任意代码执行。
描述
A utility for Magento 2 encryption key rotation and management. CVE-2024-34102(aka Cosmic Sting) victims can use it as an aftercare.
介绍
# Magento 2 Encryption Key Manager CLI

**A utility for Magento 2 encryption key rotation and management. CVE-2024-34102(aka Cosmic Sting) victims can use it as an aftercare.**

<a href="https://www.wubinworks.com/encryption-key-manager-cli.html" target="_blank"><img src="https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/EncryptionKeyManagerCli/encrption-key-manager-cli.jpg" alt="Wubinworks Magento 2 Encryption Key Manager CLI" title="Wubinworks Magento 2 Encryption Key Manager CLI" /></a>

## Designed for

 - Development usage
 - Deployment automation
 - CVE-2024-34102(aka Cosmic Sting) aftercare

#### CVE-2024-34102(aka Cosmic Sting)

After applying security patches, you need to perform a key rotation to completely deny the attacker's Admin level WebAPI access.

If you cannot upgrade or apply the official isolated patch, see [Our Patches](#you-may-also-like).

If the official encryption key rotation command `php bin/magento encryption:key:change` is not available, you can use this extension and this extension has more features as a "Key Manager".

## Usage

**This extension offers 3 commands.**

 - Generate new encryption key(for development/scripting purpose)

```
php bin/magento ww:encryption-key-manager:genkey [-f|--format FORMAT]
```
Example:
```
$ php bin/magento ww:encryption-key-manager:genkey
5f81fe506a1025b8ea439fd49c6fa8e3
```

 - List all/newest encryption keys

```
php bin/magento ww:ekm:list [--newest]
```
*Tip: you can use `ekm` shorthand for `encryption-key-manager`.*

Example:
```
$ php bin/magento ww:ekm:list
Encryption key count: 3
39a2f1213e6a942af3cd4f1c2d61528c
fdd862cd41f95e4edaf2636258ce359f
3cd27f0eeae9ffec35681d8aa0faa618
```

 - Encryption key rotation (most important)

```
php bin/magento ww:encryption-key-manager:rotate [-k|--key KEY]
```
*Tip: if `-k|--key` is not provided, a random generated key will be used.*

Example:
```
$ php bin/magento ww:encryption-key-manager:rotate
Encryption key has been rotated successfully.
Encryption keys are stored in `app/etc/env.php`. Caution: do not delete old keys!
```

## New Encryption Key Format

Starting from version 2.4.7, encryption key format is changed from `hex` to `base64`.

New format example(note it has a `base64` prefix):
```
base64bDr+HSz4tZ+cjZA89J5RvbZzCfDKWO1iXgDfmqeZL0c=
```

By default, `php bin/magento ww:encryption-key-manager:genkey` generates a key that is compatible with your **current Magento version**.

But you can force the format(for development purpose)
```
php bin/magento ww:encryption-key-manager:genkey --format base64
php bin/magento ww:encryption-key-manager:genkey --format hex
```

More details of the key generation process are in this [blog post](https://www.wubinworks.com/blog/post/new-encryption-key-format-introduced-on-magento-2.4.7).

## Requirements

**Magento 2.4**

## Installation

**`composer require wubinworks/module-encryption-key-manager-cli`**

## ♥

If you like this extension please star this repository.

## You May Also Like

[Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)](https://github.com/wubinworks/magento2-cosmic-sting-patch)

[Magento 2 JWT Authentication Patch](https://github.com/wubinworks/magento2-jwt-auth-patch)
文件快照
 [4.0K]  /data/pocs/377ed36b6330176e1e530aff1437df9eff60177f
├── [1.3K]  composer.json
├── [4.0K]  Console
│   └── [4.0K]  Command
│       ├── [2.1K]  GenerateKeyCommand.php
│       ├── [2.2K]  ListKeyCommand.php
│       └── [3.6K]  RotateKeyCommand.php
├── [ 239]  COPYING.txt
├── [4.0K]  etc
│   ├── [1.0K]  di.xml
│   └── [ 393]  module.xml
├── [10.0K]  LICENSE.txt
├── [4.0K]  Model
│   └── [4.0K]  Encryption
│       └── [3.3K]  KeyManager.php
├── [3.2K]  README.md
└── [ 261]  registration.php

5 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。