According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code.
“We’re unsure if this vulnerability is actively being exploited in the wild, but since the vulnerability has been unpatched for so long it provides a window of opportunity for potential hackers,” Stankovic said.
Magento confirmed the existence of the flaw in a brief statement to Threatpost and said it was investigating.
“We have been actively investigating the root cause of the reported issue and are not aware of any attacks in the wild. We will be addressing the issue in our next patch release and continue to consistently work to improve our assurance processes,” Magento said in a statement.
The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
“When adding Vimeo video content to a new or existing product, the application will automatically retrieve a preview image for the video via POST request taking a remote image URL parameter. The request method can be changed to GET, so the request can be sent,” the advisory states.
If a URL points to an invalid image (a PHP file for example), the application will respond with an error. However, the file will be downloaded regardless, DefenseCode states. “The application saves the file to validate the image, but will not remove it if the validation fails,” researcher said.
Image file information is parsed and saved to a directory that can create conditions ripe for a RCE using a PHP script. “To achieve a Remote Code Execution, two files should be downloaded. One is an .htaccess file that will enable PHP execution in the download directory, the other is a PHP script to be executed,” researchers said.
A likely scenario exploiting this vulnerability includes an attacker targeting a Magento admin panel user (no matter how low their privileges are). The attacker could entice the administrator to visit a URL that triggers a cross-site request forgery attack. If successful, the .htaccess file and the PHP script together can create conditions allowing an attacker to execute remote code on the targeted install of Magento Community Edition.
Next, an adversary can formulate several attack strategies that quickly lead to executing system commands, interacting with the database, or taking over the whole database along with stored credit card numbers and other payment information, or installing malware on the server.
Until Magento addresses the vulnerability, DefenseCode recommends enforcing the use of “Add Secret Key to URLs” within Magento which mitigates the CSRF attack vector, said researchers.