A couple of weeks ago, we were performing a security scan for a customer using Magento shop. While auditing their website our team found a critical vulnerability in Affiliate Plus module. According to Affiliate Plus’ website, 7000+ stores use the extension. This Affiliate Plus Magento module XSS vulnerability leaves a number of Magento stores vulnerable.
About Affiliate Plus Magento Module XSS
- When logged into your store Magento as an Affiliate, go to ‘My Program Section’
- In the ‘Program Name’ column add the following JS code:
<script>alert(/XSS_Vulnerability/)</script>
- Click on the ‘search’ button
- A pop-up suggesting execution of javascript code appears
- In addition, even SQL queries are also given out by the application exposing SQL Errors and database structure
Consequences
XSS, being one of the most widely found and exploited vulnerability does come with some critical consequences. In the case of reflected XSS, the consequences are often targeted at a particular customer. However, attacks can be performed aimed to steal admin data and more. There include:
- Compromise of end user data/account information
- Stealing of admin details via targeted attacks
- Exposure to internal directory structure of the web app
Timeline
Affiliate Plus team was very quick in understanding the issue and quickly work on fixing it. They worked proactively in deploying the necessary fixes and releasing an updated version of the module with the patch. Kudos to the team!