XML Vulnerabilities Found in Magento

Posted on the 2nd November 2015

Researchers have found two new vulnerabilities in the Magento shopping cart platform. Ebrahim Hegazy has discovered a remote code execution vulnerability, while Dawid Golunski has identified an XML External Entity injection vulnerability. These two vulnerabilities have been reported to eBay, and the developers at eBay have released a patch.

Two Unrelated Vulnerabilities

While the vulnerabilities were both published on the same day, the researchers were working independently, and the bugs are not connected in any way. The XXE bug relates to PHP’s FastCGI process manager. This vulnerability is a complex one, and it is quite dangerous, being rated 7.5 out of 10, or ‘critical’ on the CVSS vulnerability scale.

The issue is not with Magento directly but rather the Zend Framework, which is what Magento itself is built on. The vulnerability exists because of poor sanitization of XML data on systems that use the FastCGI Process manager. While Magento is the highest-profile example of this, there are others.

The vulnerability means that it is possible for an attacker to bypass the sanitization and therefore perform certain XXE attacks. The vulnerability is located in the Zend XML RPC Server and Zend SOAP Server components. It affects Magento Enterprise Edition 1.4.2.1 and Magento Community Edition 1.9.2.1 and all earlier versions.

Remote Code Execution

The remote code execution vulnerability again relies on the ability to exploit unsanitized form fields in the installation package, allowing an attacker to run unauthorized PHP code using the installer. For a website to be vulnerable to this exploit, it must still have the installation directory in place. The good news is that this is something that is very rare – you are warned when you install the software to get rid of the installation directory immediately. However, there are still a few hundred ‘untouched installs’ of Magento which could be exploited. While it’s unlikely that they will contain sensitive information, there may be other data on that server, or the attacker could use the exploit to get a foothold now – just in case the install is ever used.

Patches have been released by eBay for both of these vulnerabilities and can be downloaded free of charge. It is important that all webmasters – whether using the Enterprise Edition or the Community Edition – take advantage of this and install the patch immediately, before the exploit becomes a part of exploit tools in the wild.