Lucene search
EgiX1337DAY-ID-24257HistorySep 16, 2015 - 12:00 a.m.
Magento 1.9.2 File Inclusion Vulnerability
2015-09-1600:00:00
EgiX
0day.today
155
0.032 Low
EPSS
Percentile
90.1%
Magento versions 1.9.2 and below suffer from an autoloaded file inclusion vulnerability.
-------------------------------------------------------------------------------
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
http://magento.com/
[-] Affected Versions:
Version 1.9.2 and prior versions.
[-] Vulnerability Description:
The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,
which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:
109. public function create($type, $set, $sku, $productData, $store = null)
110. {
111. if (!$type || !$set || !$sku) {
112. $this->_fault('data_invalid');
113. }
114.
115. $this->_checkProductTypeExists($type);
116. $this->_checkProductAttributeSet($set);
117.
118. /** @var $product Mage_Catalog_Model_Product */
119. $product = Mage::getModel('catalog/product');
120. $product->setStoreId($this->_getStoreId($store))
121. ->setAttributeSetId($set)
122. ->setTypeId($type)
123. ->setSku($sku);
124.
125. if (!property_exists($productData, 'stock_data')) {
126. //Set default stock_data if not exist in product data
127. $_stockData = array('use_config_manage_stock' => 0);
128. $product->setStockData($_stockData);
129. }
User input passed through the "productData" SOAP parameter is not properly validated before being
used in a call to the "property_exists()" function at line 125. This can be exploited by attackers
with valid API credentials to include and execute arbitrary PHP code (both from local or remote
resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation
of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
[-] Solution:
Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.
[-] Disclosure Timeline:
[27/02/2015] - Vendor notified
[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release
[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability
[13/08/2015] - CVE number requested
[17/08/2015] - CVE number assigned
[11/09/2015] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-6497 to this vulnerability.
# 0day.today [2018-03-20] #Related
packetstorm
packetstorm
Magento 1.9.2 File Inclusion
2015-09-14 00:00:00
github
github
Magento arbitrary PHP code execution via the productData parameter
2022-05-24 17:06:13
cve
cve
CVE-2015-6497
2020-01-15 17:15:00
osv
osv
Magento arbitrary PHP code execution via the productData parameter
2022-05-24 17:06:13
seebug
seebug
prion
prion
Code injection
2020-01-15 17:15:00
securityvulns
securityvulns
cvelist
cvelist
CVE-2015-6497
2020-01-15 16:49:00