README

This module disables the file upload functionality for customer address attributes in Magento 2. This file upload is by default open to every user and can open up your system to security vulnerabilities.

The SessionReaper attacks exploit this endpoint to upload malicious files to your server and then execute them. While the remote code execution vulnerability has been patched, the upload endpoint was kept open and remains a security risk.

Install this module to disable the upload endpoint and secure your Magento installation.

Installation

1. Install the module via composer

   composer require basecom/magento2-disable-customer-address-file-upload

2. Enable the module

   bin/magento module:enable Basecom_DisableCustomerAddressFileUpload
   bin/magento setup:upgrade

Security

If you discover any security related issues, please email magento@basecom.de instead of using the issue tracker.

License

Licensed under the MIT license.

Copyright

basecom GmbH & Co. KG