[KIS-2015-04] Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

2015-10-26T00:00:00
ID SECURITYVULNS:DOC:32634
Type securityvulns
Reporter Securityvulns
Modified 2015-10-26T00:00:00

Description


Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

[-] Software Link:

http://magento.com/

[-] Affected Versions:

Version 1.9.2 and prior versions.

[-] Vulnerability Description:

The vulnerability is caused by the "catalogProductCreate" SOAP API implementation, which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:

  1. public function create($type, $set, $sku, $productData, $store = null)
  2. {
  3. if (!$type || !$set || !$sku) {
  4. $this->_fault('data_invalid');
  5. }
  6. $this->_checkProductTypeExists($type);
  7. $this->_checkProductAttributeSet($set);
  8. /* @var $product Mage_Catalog_Model_Product /
  9. $product = Mage::getModel('catalog/product');
  10. $product->setStoreId($this->_getStoreId($store))
  11. ->setAttributeSetId($set)
  12. ->setTypeId($type)
  13. ->setSku($sku);
  14. if (!property_exists($productData, 'stock_data')) {
  15. //Set default stock_data if not exist in product data
  16. $_stockData = array('use_config_manage_stock' => 0);
  17. $product->setStockData($_stockData);
  18. }

User input passed through the "productData" SOAP parameter is not properly validated before being used in a call to the "property_exists()" function at line 125. This can be exploited by attackers with valid API credentials to include and execute arbitrary PHP code (both from local or remote resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.

[-] Solution:

Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.

[-] Disclosure Timeline:

[27/02/2015] - Vendor notified [25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release [04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability [13/08/2015] - CVE number requested [17/08/2015] - CVE number assigned [11/09/2015] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-6497 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-04

[-] Other References:

http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html