A zero-day in a popular plugin for the Magento ecommerce platform is under attack.
Attackers are using a few IP addresses to scan for vulnerable versions of Magmi, which is an open source database client that imports data into Magento.
“We’ve seen a couple hundred requests for this specific attack coming from two or three IP addresses. They’re doing scans and automating attacks for the most part,” said Karl Sigler, threat intelligence manager at Trustwave. “There could be more at this point since these automated attacks are hitting our honeypots hard. There has to be some measure of success.”
The previously unreported vulnerability is a directory traversal that allows an attacker to access a local XML file in Magento that contains all credentials for the platform, as well as encryption keys. The typical download configuration includes putting the two in the same directory; this is the only configuration that is vulnerable, Trustwave said.
“It’s a simple best practice of not installing the plugin in the same root directory as Magento itself,” Sigler said. “Securing the directory or the XML file would mitigate these exploits.”
Magento has begun informing its users via email of the situation, and urging them to password-protect access to the directory, or set up an access control list so that the directory cannot be read directly.
Since the vulnerability is in Magmi, which is maintained by Sebastien Bracquemont, a software architect in France, Magento’s mitigations are the most effective for now. Trustwave’s Sigler said several attempts to contact Bracquemont have failed.
The kicker is that Magmi is available in two open source repositories, Sourceforge and Github. The version available on Sourceforge contains the zero day and is the first result when performing a Google search for Magmi. It has not been updated for almost a year, and yet has been downloaded more than 500 times in October already. Meanwhile the repository on Github is up to date and the file in question has been removed.
“[The owner] was probably using Sourceforge at one point, migrated to Github and then didn’t keep them in sync,” Sigler said. “They’re not synced, however; it’s two different versions. In the good version, it looks like the accidentally fixed it because the download.file.php has been taken out of Github completely. Either they knew it was vulnerable, or just not part of the project any more and not necessary.”
Trustwave describes the attack in detail on its site. In the past few week, its researchers spotted attack code that attempts to access passwords across directories.
GET /…sanitized…/magmi-importer/web/download_file.php?file=../../app/etc/local.xml HTTP/1.1
“[The attack] is a single GET request; it’s brain-dead easy, which is why it looks like they’re automating the attack,” Sigler said. “There are no fingers behind keyboards. It’s probably just a simple script, scanning for the vulnerability and blasting it out there.”
Fortunately, Sigler said, most Magento users take heed to advice in the software’s installation guide, which recommends securing access to this file, mitigating the breadth of the attack.