<< Back to Blog

Unpathed Critical Vulnerability in Magento

Popular CMS are always under attack. To keep your online business secure, you should always be aware of high-risk web vulnerabilities. Today, it is crucial to know how to mitigate the vulnerabilities which may harm the income.

Real life example

In April 2017 a security researcher from DefenseCode discovered a vulnerability in Magento that could lead to the complete system compromise including the database containing sensitive customer information such as stored credit card numbers. Actually, more than 100,000 online businesses use Magento and the vulnerability is still not fixed today.

If you are a user with sufficient privileges you can attach the video to a new or existing product in your site. The application automatically retrieves a preview image for the video via POST request taking a remote image URL parameter without proper verification of it. Therefore, an attacker can create a simple HTML link inject in an email or a post on a forum or bulletin board which will help an attacker to upload any file if a user is currently logged into Magento. For example, the CSRF link may include the tag <img src="..." /> and simply be distributed using social engineering or spear phishing. The uncontrolled file upload is an opportunity to create a remote shell on the vulnerable Magento server.

How to protect my site?

To prevent remote code execution through arbitrary file upload for that case the server should be configured to restrict such actions by using special directives in .htaccess files in affected directories. For example, you can use the following apache configuration for as a workaround:

<Location /var/www/html/pub/media/>
 AllowOverride None
</Location>

To be aware of such problems in future, it is better to detect such 0-day vulnerabilities by using anomaly detection algorithms and heuristic rules and revealing attackers attempts to use the shell they uploaded. For instance, RST Cloud allows to detect both stages.

RST Cloud detects a shell upload

Sometimes, it is a common situation that although the vulnerability was disclosed several months ago, the latest version of is still unpatched. Therefore, it is obviously critical to have an understanding of the current security level of your site and be sure that it is protected enough.

 



Posted on May 25, 2017 by Yury Sergeev