Design/Logic Flaw

2015-04-2922:59:00

PRIOn knowledge base

www.prio-n.com

7.9 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.7%

JSON

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 does not restrict the stream wrapper used in a template path, which allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.

CPENameOperatorVersion
magentoeq1.9.1.0
magentoeq1.14.1.0

CPE	Name	Operator	Version
	magento	eq	1.9.1.0
	magento	eq	1.14.1.0

References

magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerability

www.securityfocus.com/bid/74412

www.securitytracker.com/id/1032230

blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/