Recently, the e-Commerce platform Magento, a very popular plug-in－Magmi is exposed out of the 0 day vulnerabilities, and there have been hackers use this vulnerability to attack.
Magento is a professional open-source e-Commerce system. Magento design is very flexible, and also has a modular architecture and rich function, easy to with third-party applications for seamless integration. The system for enterprise-class applications, can be flexibly deal with various needs, as well as building a has a variety of uses and suitable for a wide range of e-Commerce websites. Including shopping, shipping, product reviews, etc., full use of the open source characteristics, and also provides a code library development, very standard and easy to with third-party applications seamless integration.
Magmi is a Magento platform under a number of Open Source Data Import Tool, the user can use Magmi to Magento system directory to import large amounts of product data, but the plugin also provides a flexible plug-in model so that business users extension. The researchers found that the incident, the attacker used a number of different IP addresses to scan with vulnerabilities in the Magmi version.
Karl Sigler is a Trustwave company's threat intelligence Manager, he said:“in the attack of the research process, we found, of which there are several hundred times the access request is from two to three different IP addresses. This also means that these attackers are scanning, and also in auto-attacks. This kind of attack the impact may exceed our forecasts, because these automated attack has been to make our honeypot system has been severely damaged.”
Trustwave's researchers said, prior to this, the Magento platform also has a directory traversal vulnerability, this vulnerability allows an attacker to access the Magento platform into a local XML files and these XML files are also included in the platform all the credentials, certificates, and encryption key, but this vulnerability information is not released.
Sigler said:“currently, the best security practice is to not will this plug-in installed in Magento root directory, so you can make the system directory or the XML file becomes more secure, and it is also reduce the security risk the most simple method.”
Magento has already started to platform users send e-mail to inform them of the current situation, and also urged the users of the platform system directory open the password protect feature, or create an access control list, so that you can prevent the system directory is wrong read directly.
Sebastien Bracquemont is France a software developer, Magmi plugin is made by him for development and maintenance. Right now the situation, the Magento company provides vulnerability mitigation programme is currently one of the most effective mitigation measures. Trustwave's Sigler said, they have been through a variety of channels to try to contact the Bracquenmont, but failed to get in touch with him on.
The user can choose from two open source code Library for access to Magmi, i.e. Sourceforge and Github. Sourceforge in Magmi version contains the 0 day vulnerability, and when you use Google search Magmi, the display in the first item of the search results is it. Sourceforge on the Magmi there are already more than a year without update, and in the month of October, the plug-in downloaded more than 5 0 0 times. At the same time, the Github code repository in Magmi is the latest version, and there is the issue of the relevant documents has also been removed.
Sigler said:“the plug-in developers may not often use Sourceforge, in the project migrated to Github, it will not be a code library in Magmi for synchronous update, it only leads to the two codes in the library version is different.”
In the past few weeks, the company's researchers found related to the attack code, The attack code will try to search the system directories in password. Currently, Trustwave company has in its official website, provides information about the attacks more information .
GET /...sanitized.../magmi-importer/web/download_file.php? file=../../app/etc/local.xml HTTP/1.1
Sigler said:“the attack is through a simple GET request to achieve; the entire attack process is very simple, so it would look like to an automated attack. We in the system logs were analysed, and not found any injected code marks, it is likely that the attacker uses a simple script and by the script to scan the file system of vulnerability.”
Sigler said plug-in installation process will provide users with secure access to the files of the operating method. Fortunately, most of the Magento the user will carefully follow the Software Installation Wizard to operate.
This article consists of 3 6 0 security broadcast translation, reproduced please specify“transfer from 3 6 0 security report”and attach the link.
Original link: <https://threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/>