CVE-2023-41879: 
PHP vulnerability analysis and mitigation

CVE-2023-41879 affects Magento LTS (OpenMage), specifically versions <=19.5.0 and versions 20.0.0 through 20.1.0. The vulnerability allows guest orders to be viewed without authentication using a "guest-view" cookie containing the order's "protect_code". The vulnerability was discovered and reported by Frank Rochlitzer to security@openmage.org and has been patched in versions 19.5.1 and 20.1.1 (GitHub Advisory).

The vulnerability stems from insufficient entropy in the protectcode generation. The code consists of 6 hexadecimal characters, providing only 24 bits of entropy, which is insufficient to prevent brute-force attacks. The protectcode is stored in a Base64 encoded cookie named "guest-view" along with the order number. Order numbers are assigned incrementally, making it easier to determine the range of possible values (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers to access sensitive order information including billing address, shipping address, payment details, and ordered items for guest orders. In testing, 1,000 requests could be made within 36 seconds, with a complete search of the number space taking approximately 7 days. The expected time to successfully breach an order is about 3.5 days (GitHub Advisory).

The vulnerability has been patched in versions 19.5.1 and 20.1.1. For unpatched systems, implementing rate-limiting at the web server level can help mitigate the issue. It is recommended to implement strict rate limiting (e.g., 1 request per minute per IP) specifically for the sales/guest/view/ route (GitHub Advisory).