Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Magento Backups Cross Site Request Forgery

🗓️ 06 Mar 2018 00:00:00Reported by DefenseCodeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 81 Views

Magento Backups CSRF vulnerability in versions prior to 1.9.3.8, 1.14.3.8, 2.0.18, 2.1.12, 2.2.

Code
`DefenseCode Security Advisory  
Magento Backups Cross-Site Request Forgery  
  
  
Advisory ID: DC-2018-03-001  
Advisory Title: Magento Backups Cross-Site Request Forgery  
Advisory URL: http://www.defensecode.com/advisories.php  
Software: Magento  
Version: Magento Open Source prior to 1.9.3.8,  
Magento Commerce prior to 1.14.3.8,  
Magento 2.0 prior to 2.0.18, Magento 2.1 prior  
to 2.1.12, Magento 2.2 prior to 2.2.3  
Vendor Status: Vendor contacted, vulnerability fixed  
Release Date: 06/03/2018  
Risk: MEDIUM  
  
  
  
1. General Overview  
===================  
During the security audit of Magento Open Source 1 and 2 a  
vulnerability was discovered that could allow an attacker to force  
an authenticated admin to perform backups and put the store into  
maintenance mode during backups, which could serve as a denial of  
service attack vector.  
  
  
2. Software Overview  
====================  
Magento is an ecommerce platform built on open source technology  
which provides online merchants with a flexible shopping cart system,  
as well as control over the look, content and functionality of their  
online store. Magento offers powerful marketing, search engine  
optimization, and catalog-management tools. It is a leading  
enterprise-class eCommerce platform, empowering over 200,000  
online retailers.  
  
Homepage:  
http://www.magento.com  
  
  
3. Vulnerability Description  
============================  
During the security analysis of Magento 2 and 1 Cross-Site Request  
Forgery (CSRF) vulnerability was discovered that could allow an  
attacker to force an authenticated admin to perform backups and put  
the store into maintenance mode during backups, which could  
potentially serve as a denial of service attack vector.  
  
When a backup HTTP request is changed from POST to GET, the lack of  
form_key parameter which serves as a CSRF token is completely ignored  
and thus allows the request to be abused for CSRF attacks. The  
following URL is used in the attacks:  
  
Magento 2:  
http://website.com/admin/backup/index/create/?isAjax=true&type=db&maintenance_mode=0&backup_name=test-DefenseCode&exclude_media=0  
  
Magento 1:  
http://website.com/index.php/admin/system_backup/create/?isAjax=true&type=db&maintenance_mode=0&backup_name=test3&exclude_media=0  
  
The prerequisite for this attack is that the Add Secret Key to URLs  
option is disabled. Secret keys are an additional anti-CSRF measure  
in Magento, with form keys being the primary measure (that can not  
be disabled). In a team setting this option is often disabled in  
order to be able to to pass admin links to coleagues, tickets, chat,  
etc.  
  
  
4. Solution  
===========  
Vendor fixed the reported security issues and released a new version.  
All users are strongly advised to update to the latest available  
version.  
  
  
5. Credits  
==========  
Discovered by Bosko Stankovic ([email protected]).  
  
  
6. Disclosure Timeline  
======================  
05/11/2017 Vendor contacted through Bugcrowd platform  
17/11/2017 Vendor responded  
28/02/2018 Vulnerability fixed  
06/03/2018 Advisory released  
  
  
7. About DefenseCode  
====================  
DefenseCode L.L.C. delivers products and services designed to analyze  
and test web, desktop and mobile applications for security  
vulnerabilities.  
  
DefenseCode ThunderScan is a SAST (Static Application Security  
Testing, WhiteBox Testing) solution for performing extensive security  
audits of application source code. ThunderScan SAST performs fast and  
accurate analyses of large and complex source code projects delivering  
precise results and low false positive rate.  
  
DefenseCode WebScanner is a DAST (Dynamic Application Security  
Testing, BlackBox Testing) solution for comprehensive security audits  
of active web applications. WebScanner will test a website's security  
by carrying out a large number of attacks using the most advanced  
techniques, just as a real attacker would.  
  
Subscribe for free software trial on our website  
http://www.defensecode.com/ .  
  
E-mail: defensecode[at]defensecode.com  
  
Website: http://www.defensecode.com  
Twitter: https://twitter.com/DefenseCode/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Mar 2018 00:00Current
0.4Low risk
Vulners AI Score0.4
magentocsrfvulnerabilitydenial of servicesecurity auditecommercemaintenance modepatchdefensecode
81