This module disables the file upload functionality for customer address attributes in Magento 2. This file upload is by default open to every user and can open up your system to security vulnerabilities.
The SessionReaper attacks exploit this endpoint to upload malicious files to your server and then execute them. While the remote code execution vulnerability has been patched, the upload endpoint was kept open and remains a security risk.
Install this module to disable the upload endpoint and secure your Magento installation.
-
Install the module via composer
composer require basecom/magento2-disable-customer-address-file-upload -
Enable the module
bin/magento module:enable Basecom_DisableCustomerAddressFileUpload bin/magento setup:upgrade
If you discover any security related issues, please email magento@basecom.de instead of using the issue tracker.
Licensed under the MIT license.
basecom GmbH & Co. KG