Fixing the Cart2Quote Remote Code Execution

in SecurityTroubleshooting

We have noticed a number of our customers have installed Cart2Quote Quotation Manager, risking their webshop to being exploited by attackers. This article helps you to update the extension to fix this security issue.

On our Hypernode platform we have blocked this remote code execution exploit by default. This will prevent attackers from executing unwanted code in your shop but does not fix the bug. It is highly recommended if you use this extension to upgrade to the latest version or apply the patch provided by Cart2Quote

What is Cart2Quote Quotation Manager?

Cart2Quote is a Magento extension to manage request for quotes.

What is the security problem and what are the consequences?

Due to the lack of parameter sanitizing in a script in use by this extension it is possible to download and execute any code in your shop. This would mean that your shop could easily be abused. Attackers could, for example, add code to send all creditcard information to a third party.

How to proceed when your shop is using this extension

Cart2Quote fixed the bug in the extension and released patches to update the extension to a safe version.
By upgrading to the latest version or applying the patch, your shop is protected against this security issue.

If you don’t know how to update Magento extensions, please ask your Technical contact to help you with the update.

Hypernode protection

We blocked all requests to the vulnerable endpoints of this extension to avoid attackers to abuse this exploit by adding an include file in /data/web/nginx/server.qquoteadv.conf on all Hypernodes. Details on changelog. This will prevent attackers from executing unwanted code in your shop but does not fix the bug.

If this blockage causes issues with other extensions, upgrade the extension first to the latest version before overriding the blockage.
After upgrading the extension, you can adjust the server.qquoteadv.conf config file in /data/web/nginx to your needs or remove the file completely.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. 
Luckily, we know a lot of agencies that do know a lot about how Magento works.

If you need help, don’t hesitate to contact one of these agencies.

0