SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Commerce)  >   Magento Vendors:   eBay, Varien
Magento Bugs Let Remote Authenticated Administrators Upload Arbitrary Files and Remote Users Conduct Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1038261
SecurityTracker URL:  http://securitytracker.com/id/1038261
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 15 2017
Original Entry Date:  Apr 14 2017
Impact:   Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): CE 2.1.6 and prior
Description:   Two vulnerabilities were reported in Magento. A remote user can conduct cross-site request forgery attacks. A remote authenticated user can upload files to the target system.

A remote authenticated administrative user can exploit a flaw in 'RetrieveImage.php' to upload arbitrary files to the target system.

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will take actions on the target interface acting as the target user.

The two vulnerabilities can be combined to execute arbitrary PHP code on the target system.

The original advisory and demonstration exploit code is available at:

http://www.defensecode.com/advisories/DC-2017-04-003_Magento_Arbitrary_File_Upload.pdf

DefenseCode L.L.C. reported these vulnerabilities.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote authenticated administrative user can upload files to the target system.

The two vulnerabilities can be combined to execute arbitrary PHP code on the target system.

Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix in early May 2017.

As a workaround, the vendor recommends using the "Add Secret Key to URLs" function.

Vendor URL:  magento.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 12 Apr 2017 22:32:13 +0200
Subject:  DefenseCode Security Advisory: Magento 0day Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF)

 
               DefenseCode Security Advisory
    Magento 0day Arbitrary File Upload Vulnerability
              (Remote Code Execution, CSRF)


Advisory ID: DC-2017-04-003
Software: Magento CE
Software Language: PHP
Version: 2.1.6 and below
Vendor Status: Vendor contacted / Not fixed
Release Date: 20170413
Risk: High


# Advisory Overview

During the security audit of Magento Community Edition, a highly popular
e-commerce platform, a high risk vulnerability was discovered that could
lead to remote code execution and thus the complete system compromise
including the database containing sensitive customer information such as
stored credit card numbers and other payment information.
The vulnerability is based around an arbitrary file upload combined with
a cross-site request forgery (CSRF) vulnerability as a main attack vector.


Full advisory URL:

http://www.defensecode.com/advisories/DC-2017-04-003_Magento_Arbitrary_File_Upload.pdf


# About DefenseCode

DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security Testing,
WhiteBox Testing) solution for performing extensive security audits of
application sourcecode.

ThunderScan performs fast and accurate analyses of large and complex
source code projects delivering precise results and low false positive
rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security Testing,
BlackBox Testing) solution for comprehensive security audits of active
web applications.

WebScanner will test a website's security by carrying out a large number
of attacks using the most advanced techniques, just as a real attacker
would.

Subscribe for free software trial on our website
http://www.defensecode.com/

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com/
Twitter: https://twitter.com/DefenseCode/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC