Magento Zero-Day Leaves 200,000 Online Retailers Vulnerable to Attack

Security researchers are warning of ahigh-risk vulnerability in Magento Community Edition, another reminder of systemic risk in our digital economy, which is built upon software and applications that need continuous monitoring.

The Magento vulnerability could allow attackers to execute arbitrary code to access sensitive customer data, including credit card information and other payment data. Magento e-Commerce software is used by 200,000 online retailers.

Researchers at DefenseCode reported the vulnerability to Magento in November 2016, but Magento did not respond to the disclosure after a second attempt last week, DefenseCode said. The researchers said the attack vector is a cross-site request forgery (CSRF) vulnerability, an OWASP Top 10 application risk.

The researchers only tested the open source Community Edition, but Magento’s enterprise products use the same underlying code, DefenseCode said. Magento said it would correct the issue in its next patch release. If you’re a Magento customer, you should mitigate the vulnerability with workarounds until a patch is available.

Here is information about the Magento vulnerability, mitigations, and best practices for securing your open source and third-party applications.

The vulnerability

According to DefenseCode, the vulnerability exists in code that retrieves images using a POST request. Changing the request method to GET, the application will download a file to validate the image, but will not remove a file if the validation fails. “This behavior allows for a remote code execution using a PHP script, as well as stored Cross-Site Scripting and/or malware hosting,” DefenseCode reported.

Attack vectors

The lack of a form_key parameter, which serves as a CSRF token, enables an attacker to use CSRF attacks. To exploit the vulnerability, attackers would need a logged in Magento administrative panel user to open a CSRF link, which can be achieved using social engineering or via public links. Full administrative access is not required to exploit the vulnerability.

Mitigations

Magento users are advised to enforce use of “Add Secret Key to URLs” to mitigate the CSRF attack vector. To prevent an arbitrary file upload RCE, configure the server to disallow .htaccess files.

Prevention and protection

Weaknesses in web applications leave organizations vulnerable to attack, and application-layer attacks were the leading cause of data breaches in 2016, according to Verizon. You need a prevent-and-protect strategy that secures applications across the software lifecycle, from development to production.

To prevent cross-site request forgery and other application–layer attacks, organizations should use web application scanning solutions to discover vulnerable websites and open source components. Secure applications during development with both static and dynamic testing, and software composition analysis to identify vulnerable components. Finally, stop attacks against production applications with run-time application protection.

Contact us to learn more about securing your web applications.