Tom Wang - Fotolia
How does a Magento Community Edition flaw allow remote attacks?
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw.
DefenseCode researchers found a zero-day remote code execution vulnerability in a version of the open source Magento Community Edition ecommerce platform, placing up to 200,000 online retailers at risk. The vulnerability enables cross-site request forgery (CSRF) for image requests. How can an attacker exploit this vulnerability, and what mitigation steps do you recommend? Has the flaw been patched yet?
Nick Lewis: Open source software like the Magento Community Edition ecommerce platform can have significant benefits, starting with the ability to have many eyes looking at code so most bugs can be shallow, but assuming it or any software is secure is a recipe for a security incident. If you are processing sensitive data for e-commerce transactions using credit cards, this could lead to a data breach. Many bugs are only found as a result of software reviews or pen-tests performed by consulting companies, which notify their clients of potential security issues in their software or their operational environments. These consulting companies may then also report their findings to software vendors to remediate, release an advisory to insure that others using the software are aware of the issue -- and also to highlight their own information security expertise.
In April 2017, DefenseCode, the application security testing software company based in Dublin, released a security advisory for a serious remote code execution vulnerability in open source Magento Community Edition ecommerce platform; a patch was published in May 2017. The security advisory explained that the software had a remote code execution vulnerability in the video upload functionality. If a malicious URL was used for a video, the file would be uploaded to a predictable location on the web server and allow the file to be executed on the web server. This could be triggered via a cross-site request forgery when an admin user is logged in and clicks on a malicious link.
At the least, mitigation steps include applying the Magento Community Edition patch and hardening the web server so that uploaded files can't be executed; also important is to be sure the web server is running as a restricted user (not as root). Magento has security best practices that users should review to ensure they have implemented them in their environment. Enterprises may want to use code review tools like static or dynamic code analysis along with pen-testing to identify vulnerabilities in high value assets.