The malicious code can be stored inside email address fields, and then executed in the Magento backend

Jan 24, 2016 01:05 GMT  ·  By

The Magento project has released patches to fix a critical security bug in the CMS that's powering a large chunk of online shops all over the Internet.

The bug is a stored XSS (cross-site scripting) vulnerability that can be exploited when registering a new user account or when users are changing their current account's email address.

The problem lies in how the CMS sanitizes the data entered in the email field for customers. As cyber-security vendor Sucuri has discovered, the email is not sufficiently filtered for bad characters.

This improper data filtering mechanism allows attackers to enter malicious code alongside their email address.

The bug is easy to exploit by any skilled attacker

If an attacker then makes an order from an account with a poisoned email address, when the site's admin opens the order in the backend, the malicious code will also get executed.

JavaScript code can be used to access cookies, so the attacker can steal the admin's cookies and use them to illegally access the site later on. Other actions can also be carried out, and the attack's capabilities depend on the attacker's skills.

On Sucuri's own vulnerability severity scale, the bug is rated with a score of 7 out of 10.

WordPress site admins faced this very same problem

Theoretically, the bug is similar to another XSS bug discovered in the Jetpack WordPress plugin by Sucuri in October. That bug also allowed attackers to execute malicious code inside the WordPress backend via malicious code attached to email addresses sent via a feedback form.

Affected Magento versions include the Magento Community Edition 1.9.2.2 and earlier, and Magento Enterprise Edition 1.14.2.2 and earlier. The recent 2.x branch is not affected by this issue, but there's another stored XSS that affects the 2.x branch as well.

If running an older version of Magento, store administrators should update their online shops as soon as possible.

UPDATE: Article updated with mentions of second XSS bug that affects the 2.x branch.

Magento XSS bug in action
Magento XSS bug in action

Photo Gallery (2 Images)

Mangeto fixes critical XSS bug
Magento XSS bug in action
Open gallery