Magento Amasty RMA Plugin

About Amasty RMA Extension Vulnerabilities

During a security audit engagement with a client using Magento, our engineers discovered a few critical vulnerabilities in Amasty RMA extension. The first vulnerability allows a hacker to upload malicious files on the server. Since php files can also be uploaded, a hacker can easily upload malicious shells like c99, r57, anishell etc to the server. If additional checks are not in-place, a hacker would get hold of entire server by exploiting this. Another vulnerability, which was not found only in a few websites using RMA allows a hacker to download any directory from the server. With some information available about the web app, a hacker can download critical files from the server.

Details of the Vulnerability

  • Malicious File Upload: The upload area can be exploited by hackers to upload malicious files. Like while trying we were able to upload a php shell. See the picture below:
    Magento RMA Extension Vulnerability fileupload
  • Directory Traversal/file download: If the following request(see picture below) is made, an file on the server can be downloaded. For common files like .htaccess etc. which are present on almost every servers hackers can easily guess and download them. However, our client who was on magento 1.9 was vulnerable to this but reproducing on other versions wasn’t possible.Magento RMA Extension Vulnerability directory traversal

Consequences of Magento RMA Vulnerabilities

  • Possible compromise of the complete server
  • Server file download by hackers
  • Targeted attack on end users/admins possible

Timeline

Vulnerability Found by Astra Team - 24/05/201725%
Reported to Amasty RMA Team - 25/05/201750%
Worked on the Fix - 26/05/2017 to 30/05/201775%
Updated Version Released - 30/05/2017100%

Amasty team was very quick in fixing the vulnerability. We received a quick reply from Kirill, product manager of RMA plug-in. Following which the patch was released within a few days.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close