Security researchers are warning of a high-risk vulnerability in Magento Community Edition, another reminder of systemic risk in our digital economy, which is built upon software and applications that need continuous monitoring.

The Magento vulnerability could allow attackers to execute arbitrary code to access sensitive customer data, including credit card information and other payment data. Magento e-Commerce software is used by 200,000 online retailers.

Researchers at DefenseCode reported the vulnerability to Magento in November 2016, but Magento did not respond to the disclosure after a second attempt last week, DefenseCode said. The researchers said the attack vector is a cross-site request forgery (CSRF) vulnerability, an OWASP Top 10 application risk.

The researchers only tested the open source Community Edition, but Magento’s enterprise products use the same underlying code, DefenseCode said. Magento said it would correct the issue in its next patch release. If you’re a Magento customer, you should mitigate the vulnerability with workarounds until a patch is available.

Here is information about the Magento vulnerability, mitigations, and best practices for securing your open source and third-party applications.

The vulnerability

According to DefenseCode, the vulnerability exists in code that retrieves images using a POST request. Changing the request method to GET, the application will download a file to validate the image, but will not remove a file if the validation fails. “This behavior allows for a remote code execution using a PHP script, as well as stored Cross-Site Scripting and/or malware hosting,” DefenseCode reported.

Attack vectors

The lack of a form_key parameter, which serves as a CSRF token, enables an attacker to use CSRF attacks. To exploit the vulnerability, attackers would need a logged in Magento administrative panel user to open a CSRF link, which can be achieved using social engineering or via public links. Full administrative access is not required to exploit the vulnerability.

Mitigations

Magento users are advised to enforce use of “Add Secret Key to URLs” to mitigate the CSRF attack vector. To prevent an arbitrary file upload RCE, configure the server to disallow .htaccess files.

Prevention and protection

Weaknesses in web applications leave organizations vulnerable to attack, and application-layer attacks were the leading cause of data breaches in 2016, according to Verizon. You need a prevent-and-protect strategy that secures applications across the software lifecycle, from development to production.

To prevent cross-site request forgery and other application–layer attacks, organizations should use web application scanning solutions to discover vulnerable websites and open source components. Secure applications during development with both static and dynamic testing, and software composition analysis to identify vulnerable components. Finally, stop attacks against production applications with run-time application protection.

Contact us to learn more about securing your web applications.

About John Zorabedian

John Zorabedian is a blogger and copywriter at Veracode. He has a background in marketing and journalism, writing about IT security, technology, business, politics and culture. He lives and works in the Boston area.

Comments (4)

John | April 20, 2017 9:24 am

It's DefenseCode not DefenseOne. Check the advisory.

Leon Juranic | April 20, 2017 9:27 am

Name of the company that discovered this vulnerability isn't DefenseOne, but DefenseCode - http://www.defensecode.com/

Neil | April 20, 2017 10:35 am

^Thanks for the correction guys.

Fayyaz Khattak | April 21, 2017 3:47 am

With any Magento store, security issues are always present. New vulnerabilities are always discovered and can be taken advantage of if you do not apply the latest patches or update your Magento. Whenever a Magento store is compromised, one of the primary concern is to determine the hack.

The best practices are to keep your Magento and its extension versions up to date, use unique usernames and passwords, create custom admin login path, and use SSL certificate, etc.

I have also written an article that sheds light on the many ways through which you can recover your hacked Magento store and some great tips to keep your store secure in future. Please have a look:

https://www.cloudways.com/blog/recover-hacked-magento-store/

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.