Recently a new severe 0-day Magento vulnerability has been released by DefenceCode team in an advisory. If you are vulnerable from this, attackers are capable of remotely executing arbitrary code.
As of now the vulnerability has been confirmed for the Magento Community edition as the researcher did not test for the enterprise edition. But since both the version use same base code there is a high chance of both being vulnerable to this vulnerability which leads to complete system compromise. This complete system compromise also includes the compromise of databases containing sensitive user credit card information.
Vulnerability Description
This remote code execution is tied up to the CSRF to attack your website. This occurs because of a design-flaw in the Magento.
Bosko Stankovic tells that “When adding Vimeo video content to a new or existing product the application will automatically retrieve a preview image for the video via POST request taking a remote image URL parameter. The request method can be changed to GET” and as a result, if the image url points to an invalid image say a PHP file an error is thrown by the application, but regardless of this fact image does not get deleted from the server.
And hence the file stays on the server, making it feasible for attackers to finally run some arbitrary code in your application.
Although they need to have two more files to download the data from the server i.e. the .htaccess file and the PHP script that needs to be executed as clearly pointed out by the researchers.
The worst fact about this vulnerability is that you need not to have high privileges to execute this. As stated by the DefenceCode team “any Magento administrative panel user, regardless of assigned roles and permissions can access the remote image retrieval functionality. Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database (e.g. Traversing to /app/etc/env.php to grab the database password).”
Solution for 0-day Magento vulnerability
As of now the vendor has not spoken much for this 0-day Magento vulnerability, but we expect it to be patched soon in the upcoming releases. Since Magento is always committed to the security, still there has been a suggested fix by the researcher who discovered the vulnerability, he suggests the enforced use of “Add Secret keys to URLs”, this ensures the elimination of CSRF and hence breaking the backbone of vulnerability by disabling one of the attack vector.
For any other query feel free to contact us.
Tags: CSRF, Database, Magento security, O days, RCE, Remote Code Execution
Shubham Agarwal
