Lucene search
K

Magento User Info Cross Site Scripting Vulnerability

🗓️ 07 Mar 2018 00:00:00Reported by Bosko StankovicType 
zdt
 zdt
🔗 0day.today👁 83 Views

Magento stored XSS vulnerabilities in version 2.0 prior to 2.0.1

Code
Advisory Title: Magento Multiple Stored Cross-Site Scripting Vulnerabilities
Advisory URL:   http://www.defensecode.com/advisories.php
Software:       Magento
Version:        Magento 2.0 prior to 2.0.18
Vendor Status:  Vendor contacted, vulnerability fixed
Release Date:   06/03/2018
Risk:           MEDIUM



1. General Overview
===================
During the security audit of Magento Open Source 2 multiple medium
risk stored cross-site scripting vulnerabilities were discovered that
could lead to administrator account takeover, putting the website
customers and their payment information at risk.


2. Software Overview
====================
Magento is an ecommerce platform built on open source technology
which provides online merchants with a flexible shopping cart system,
as well as control over the look, content and functionality of their
online store. Magento offers powerful marketing, search engine
optimization, and catalog-management tools. It is a leading
enterprise-class eCommerce platform, empowering over 200,000
online retailers.

Homepage:
http://www.magento.com


3. Vulnerability Description
============================
During the security analysis of Magento Open Source 2 prior to 2.0.18
it was discovered that the application returns unescaped and
unsanitized user/customer controlled input on direct requests to
several application URLs.

User/customer controlled information such as customer first and last
name, street address, city, company, shipping and billing information
are unsanitized and unescaped in an output resulted from a direct
request to the following url:

http://website.com/admin/mui/index/render/?namespace=customer_listing&isAjax=true

User/customer first and last name information is unsanitized and
unescaped in an output resulted from a direct request to the
following urls:

http://website.com/admin/mui/index/render/?namespace=customer_online_grid&isAjax=true

http://website.com/admin/mui/index/render/?namespace=sales_order_invoice_grid&isAjax=true

http://website.com/admin/mui/index/render/?namespace=sales_order_grid&isAjax=true

The application will return a text/html response with a json-formatted
content. All aforementioned user-controlled input is prone to stored
cross-site scripting.

The prerequisite for this attack is that the Add Secret Key to URLs
option is disabled. Secret keys are an additional anti-CSRF measure in
Magento, with form keys being the primary measure (that can not be
disabled). In a team setting this option is often disabled in order
to be able to to pass admin links to coleagues, tickets, chat, etc.


4. Solution
===========
Vendor fixed the reported security issues and released a new version.
All users are strongly advised to update to the latest available
version.


5. Credits
==========
Discovered by Bosko Stankovic ([email protected]).


6. Disclosure Timeline
======================
19/04/2017   Vendor contacted through Bugcrowd platform
19/04/2017   Vendor responded
28/02/2018   Vulnerability fixed
06/03/2018   Advisory released

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation