Remote Code Execution Hole Patched in Magento eCommerce Platform

A nasty remote code execution vulnerability was recently patched in Magento, eBay’s eCommerce platform

A nasty remote code execution vulnerability was recently patched in eBay’s eCommerce platform Magento. The hole, disclosed Monday, could put upwards to 200,000 company’s web stores, and their customers’ information at risk of being compromised.

If exploited, researchers claim the vulnerability could expose customers’ credit card information, along with other “financial and personal data.”

The vulnerability, dug up by Netanel Rubin, a member of Check Point Software Technologies’ Malware & Vulnerability Research Group, was patched back in February and stems from a chain of several different vulnerabilities.

When pieced together, the vulnerabilities could enable an attacker to execute PHP code on the store’s web server and bypass the platform’s security mechanisms. An attacker could also gift themselves administrative access to the system, according to Rubin in a blog post today. As the issues are present in Magento’s core itself and not isolated to a specific plugin or theme, any companies running old, default versions of either the Community or Enterprise editions of the platform should be considered vulnerable until their platform has been patched.

“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores,” Shahar Tal, Check Point’s Malware and Vulnerability Research Manager, said via press release Monday.

When reached by email Monday Tal pointed out that even if credit card information on Magento-run webstores was encrypted, attackers could access the keys, which are naturally available to the platform.

“The credit cards [attackers] would find are for people who decided to store their credit card for future purchases,” Tal said.

“We must remember that an attacker could have simply modified the application code at one point in time to duplicate card numbers and silently send them off to the attacker. This extremely simple (and very hard to detect) scheme could have resulted in a continuous stream of valid credit card numbers.”

While Tal couldn’t say for certain that all shops running Magento were vulnerable, or specify exactly how many were affected, he said to the best of his understanding nearly all stores were affected prior to Check Point’s disclosure today.

Check Point brought the issue to eBay’s attention along with a handful of other vulnerabilities over the winter and a fix – SUPEE-5344 – was pushed on February 9. Tal claims that after patching the issue Magento pushed a special note to all of its users urging them to upgrade ASAP. The company also added a critical notification to Magento dashboards last week that admins see upon login.

The California-based IT firm plans on releasing a detailed description of the chained vulnerabilities later this week, but Tal hints that Rubin was able to use an auth bypass, SQL injection, and a Remote File Inclusion vulnerability – which he converted to Local File Inclusion vulnerability, using a different vulnerability – to lead to PHP code execution.

Last year Rubin and Check Point uncovered a flaw in the Perl programming language that allowed privilege escalation and could ultimately be used to break into Mozilla’s Bugzilla tracking system and gain access to undisclosed bugs.

Purchased by eBay in 2011, Magento-run web stores comprise about 30 percent of the eCommerce market. Larger companies like Nike, the camera manufacturer Olympus, craft brewing pioneers Sierra Nevada, and the electronics company Vizio, use the platform to handle their eCommerce, although it’s not clear if any of their web stores were at any point vulnerable.

Suggested articles