A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk. The warning comes from security firm DefenseCode, which found and originally reported the vulnerability to Magento in November.

“During the security audit of Magento Community Edition, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information,” DefenseCode wrote in a technical description of its discovery (PDF) posted Wednesday.

According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code.

“We’re unsure if this vulnerability is actively being exploited in the wild, but since the vulnerability has been unpatched for so long it provides a window of opportunity for potential hackers,” Stankovic said.

Magento confirmed the existence of the flaw in a brief statement to Threatpost and said it was investigating.

“We have been actively investigating the root cause of the reported issue and are not aware of any attacks in the wild. We will be addressing the issue in our next patch release and continue to consistently work to improve our assurance processes,” Magento said in a statement.

The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.

“When adding Vimeo video content to a new or existing product, the application will automatically retrieve a preview image for the video via POST request taking a remote image URL parameter. The request method can be changed to GET, so the request can be sent,” the advisory states.

If a URL points to an invalid image (a PHP file for example), the application will respond with an error. However, the file will be downloaded regardless, DefenseCode states. “The application saves the file to validate the image, but will not remove it if the validation fails,” researcher said.

Image file information is parsed and saved to a directory that can create conditions ripe for a RCE using a PHP script. “To achieve a Remote Code Execution, two files should be downloaded. One is an .htaccess file that will enable PHP execution in the download directory, the other is a PHP script to be executed,” researchers said.

A likely scenario exploiting this vulnerability includes an attacker targeting a Magento admin panel user (no matter how low their privileges are). The attacker could entice the administrator to visit a URL that triggers a cross-site request forgery attack. If successful, the .htaccess file and the PHP script together can create conditions allowing an attacker to execute remote code on the targeted install of Magento Community Edition.

Next, an adversary can formulate several attack strategies that quickly lead to executing system commands, interacting with the database, or taking over the whole database along with stored credit card numbers and other payment information, or installing malware on the server.

Until Magento addresses the vulnerability, DefenseCode recommends enforcing the use of “Add Secret Key to URLs” within Magento which mitigates the CSRF attack vector, said researchers.

Categories: Vulnerabilities, Web Security

Comments (3)

  1. Fred
    1

    With all these Extensions sell by literally anybody on Magento Connect, Magento is always at risk. This ecosystem is one big flaw as a whole if you ask me.

    Reply
  2. Mike
    2

    Just got this email from Magento

    SECURITY ANNOUNCEMENT

    Issue Will Be Addressed in Next Release

    Yesterday, Threatpost reported a story about a remote code execution vulnerability with Magento 2 Enterprise and Community software. 

    Magento is committed to delivering superior security to clients and has been actively investigating the root cause of the reported issue. We are not aware of any attacks in the wild. Admin access is required to execute the exploit, so as always, we encourage you to follow best practices to keep your Admin secure. 

    In addition, this vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature: 

    1.Logon to Merchant Site Admin URL (e.g., your domain.com/admin)
    2.Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs3.Select YES from the dropdown options4.Click on Save Config

    For more information about the issue, you can go to Threatpost and DefenseCode. We will provide additional information about the security update as we get closer to the release date. 

    If you have questions, please feel free to reach out to us at security@magento.com. In addition, please visit the Magento Security Center to stay up-to-date on best practices, security releases, and potential vulnerabilities.  

    Best regards, 
    The Magento Security Team

    Reply
  3. Mark Newby
    3

    Worth pointing out that this vulnerability only affects Magento 2.x which is in use by at most 8000 stores (source: BuiltWith) of which I estimate a lot are development / test sites. Never good to have a vulnerability in software, but it doesn’t affect the 200,000 stores claimed by this article.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>