14 DAY TRIAL // Researchers have discovered two vulnerabilities in the Magento e-commerce platform, an XML eXternal Entity (XXE) injection flaw by Dawid Golunski, and a remote code execution (RCE) by Ebrahim Hegazy.
Both vulnerabilities were reported to eBay, Magento's current owner, who patched the product and released a new version.
A simple coincidence made it so that both these bugs be published today, having no connection to each other.
XML eXternal Entity injection in PHP's FastCGI Process Manager
The first Magento vulnerability is very complex and hard to understand for non-technical users. Nevertheless, it is a lot more dangerous, eBay devs labeling it with a severity level of "high/critical" and a CVSS vulnerability score of 7.5 out of 10.
The problem does not even rely with Magento, being an issue that affects the Zend Framework, the PHP toolkit on which Magento's Community and Enterprise editions were built upon.
Security researcher Dawid Golunski discovered both vulnerabilities (Zend and Magento) and says that "the Zend Framework XXE vulnerability stems from an insufficient sanitization of untrusted XML data on systems that use PHP-FPM [FastCGI Process Manager] to serve PHP applications," as is the case with Magento and many others.
"By using certain multibyte encodings within XML," he continues, "it is possible to bypass the sanitisation and perform certain XXE attacks," which can lead to DoS (Denial-of-Service) states for the shop or even RCE (remote code execution) on the platform.
More specifically, the vulnerability resides in the Zend_XmlRpc_Server and Zend_SOAP_Server components that are used to power the Magento store's XML/SOAP API.
Proof of concept code is provided with Golunski's explanation.
According to the security disclosure, all Magento Community Edition 1.9.2.1 and earlier, along with Magento Enterprise Edition 1.4.2.1 and earlier, are affected.
Remote Code Execution using the installation package
The second Magento bug that hit the Interwebs was Ebrahim Hegazy's RCE exploit, which leveraged some unsanitized form fields in the installation package to allow him to run unauthorized PHP code from the installer.
As you can imagine, this type of exploit requires the presence of the installation folder on the server, directory which very few well-trained webmasters forget to delete or rename. Magento, the top platform for online shops, certainly requires a high level of skill, something that the experts of Byte.nl have confirmed to Softpedia.
"Technically he [Hegazy] has a valid point, however the scope is quite low, as it only applies to people who have copied the files but not gone through the installation wizard," said Willem de Groot, lead developer Byte & MageReport.com. "According to the Magereport.com service, only a few hundred of these 'untouched installs' exist globally (and by their very nature, don't contain sensitive information)."
UPDATE 1: After further investigations of the first XXE injection exploit, Willem de Groot said that 6,788 vulnerable sites are currently discoverable via MageReport.
"It essentially allows a hacker to fetch any file from the server, such as config files containing database passwords," said Mr. de Groot. "This exploit requires the PHP-FPM server software, which is the most common way to run PHP."
Correction: I have understood Mr. de Groot's emails the wrong way. 6788 was not the number of vulnerable sites, but the internal ID used by eBay for this bug to patch Magento. Mr. de Groot did some further digging into the matter and found that the Zend Framework bug which made Magento vulnerable affects only older PHP versions, 5.3.23 or lower, and 5.4.13 and lower. Apologies.
UPDATE 2: Following our second update, we were contacted by Mr. Dawid Golunski who confirmed to Softpedia that the XXE vulnerability affects Magento running on the latest PHP version. The correct Zend Framework vulnerability that caused all the Magento problems is CVE-2015-5161.
