net3design Posted May 21, 2013 Report Posted May 21, 2013 SEC Consult Vulnerability Lab Security Advisory < 20120712-0 >======================================================================= title: Local file disclosure via XXE injection product: Magento eCommerce Platform Enterprise & Community Edition vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1 Magento eCommerce Platform Community Edition <= v1.7.0.1 fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2 Magento eCommerce Platform Community Edition <= v1.7.0.2 impact: Critical homepage: Ecommerce Software & Ecommerce Platform Solutions | Magento found: 2012-06-18 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor description:-------------------"Magento eCommerce Platforms provide the scalability, flexibility and featuresfor business growth. Magento provides feature-rich eCommerce platforms thatoffer merchants complete flexibility and control over the presentation,content, and functionality of their online channel."Source: Online Shopping Cart Software | MagentoVulnerability overview/description:-----------------------------------Magento eCommerce platform uses a vulnerable version of Zend framework whichis prone to XML eXternal Entity Injection attacks. The SimpleXMLElement classof Zend framework (SimpleXML PHP extension) is used in an insecure way toparse XML data. External entities can be specified by adding a specificDOCTYPE element to XML-RPC requests. By exploiting this vulnerability anapplication may be coerced to open arbitrary files and/or TCP connections.Proof of concept:-----------------Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)to handle XML-RPC requests. Hence it is possible to disclose arbitrary localfiles from the remote system. The following HTTP POST request to thevulnerable XmlRpc server application illustrates the exploitation of thisvulnerability:POST /index.php/api/xmlrpc HTTP/1.1Host: $host<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><methodCall> <methodName>&xxe;</methodName></methodCall>Vulnerable / tested versions:-----------------------------Magento eCommerce Platform Enterprise Edition v1.10.1.1Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1Earlier versions are probably affected too!Vendor contact timeline:------------------------2012-06-18: Contacting vendor through the contact form on the webpage as no email addresses or security contacts are to be found Magento - Contact Us - eCommerce Software for Growth2012-06-20: No reply so far, hence trying again by choosing a different contact reason.2012-06-21: Creating a bug tracking entry, asking for security contact Magento - Report a Bug - eCommerce Software for Growth.2012-06-21: Vendor reply: security@magento.com should be used.2012-06-22: Sending advisory draft.2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC functionality, patch in progress; vendor will improve website to provide a clearer, more direct method for researchers.2012-06-25: Asking for affected versions and release timeline.2012-06-26: Informing Magento about Zend framework advisory.2012-06-27: Vendor: sending more information to SEC Consult soon.2012-07-04: Asking vendor about status.2012-07-05: Vendor releases new versions and patches.2012-07-12: SEC Consult releases detailed advisory.Solution:---------Magento Community Edition* 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2: Open Source Ecommerce Software & Solutions | Magento* 1.4.0.0 - 1.4.1.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch* 1.4.2.0 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch* 1.5.0.0 - 1.7.0.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patchMagento Enterprise Edition* 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2: https://www.magentocommerce.com/products/customer/account/index/* 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/Magento Professional Edition* All versions - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/More information can be found at:Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for GrowthWorkaround:-----------Detailed steps can be found at:Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for Growth Quote