deployecommerce / module-trojan-order-prevent
deployecommerce/module-trojan-order-prevent
A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings.
module-trojan-order-prevent
This is a Magento 2 extension that prevents billing/shipping addresses being
saved via the API with known trojan order strings. This is not a fix for
CVE-2022-24086 but an additional layer of protection for merchants.
Although patched in most recent Magento versions we still see probes for this
which look rather unsightly for merchants in the orders screen of Magento.
This module adds two plugins to the Magento\Quote\Api\BillingAddressManagementInterface
and the Magento\Quote\Model\ShippingAddressManagementInterface to prevent the
saving of addresses with the following strings:
gettemplate
base64_
afterfiltercall
.filter(
[email protected]
.php
this.getTemp
{{var
If these are detected in the payload then an Exception is thrown and the address is not saved.
Installation
composer require deployecommerce/module-trojan-order-prevent
bin/magento mo:e DeployEcommerce_TrojanOrderPrevent
Further Reading
- https://sansec.io/research/trojanorder-magento
- https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/
- https://cyberfraudcentre.com/surge-in-trojanorders-attacks-on-magento-2-e-commerce-sites
- https://magento.stackexchange.com/questions/358839/magento-2-fake-customer-order-came-through-with-weird-code-instead-of-customer
- https://github.com/magento/magento2/issues/36691
License
This module is licensed under the MIT License. See the LICENSE file for details.
No changelog yet
The vendor hasn't published a changelog. Tagged releases appear in the Versions tab.
| Version | Stability | QA Status | Compatibility | Released |
|---|---|---|---|---|
| 1.0.4 | stable | Pass | Magento 2.4.7-2.4.9 Details | 2024-08-15 13:27:56 |
| 1.0.3 | stable | Not tested | Not yet tested Details | 2024-08-15 13:23:53 |
| 1.0.2 | stable | Not tested | Not yet tested Details | 2024-08-12 11:24:48 |
| 1.0.1 | stable | Not tested | Not yet tested Details | 2024-08-05 13:41:34 |
| 1.0.0 | stable | Not tested | Not yet tested Details | 2024-08-02 13:48:47 |
No dependencies declared
This package's composer.json doesn't declare any required, suggested, replaced, or conflicting packages.
Compatibility
Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.
Code Quality
Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.
Static analysis
Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.
PHPStan
Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.
Tests
Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.
Unit tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Integration tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Security
Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.
Turn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.