Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Magento Patches Flaws Leading to Site Takeover

Magento recently addressed vulnerabilities that could be exploited by unauthenticated attackers to hijack administrative sessions and then completely take over vulnerable web stores.

Magento recently addressed vulnerabilities that could be exploited by unauthenticated attackers to hijack administrative sessions and then completely take over vulnerable web stores.

For a successful attack, a threat actor would first have to exploit a Stored Cross-Site Scripting (XSS) flaw to inject a JavaScript payload into the administrator backend of a Magento store. After hijacking the session from an employee, the attacker would then exploit an authenticated Remote Code Execution (RCE) bug to completely compromise the store.

“The attacker could then cause financial harm to the company running the store. For example, the attacker could redirect all payments to his bank account or steal credit card information,” Germany-based security firm RIPS Technologies reveals.

The vulnerabilities can be exploited if the store uses the built-in, core Authorize.Net payment module, as the issue resides in Magento’s implementation of this credit card payment processing solution. The popular module is used in many Magento stores and automation could lead to mass exploitation, the security firm says.

“We rate the severity of the exploit chain as high, as an attacker can exploit it without any prior knowledge or access to a Magento store and no social engineering is required,” RIPS Technologies notes.

The first issue is an unauthenticated Stored XSS in the cancellation note of a new product order, resulting from a bypass for the escapeHtmlWithLinks() sanitization method.

Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the <i> tag, which allows for an attribute injection.

“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.

Advertisement. Scroll to continue reading.

Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.

The payload could be used to hijack the employee’s authenticated session, allowing the attacker to then exploit a Phar deserialization vulnerability within the controller responsible for rendering images within the WYSIWYG editor.

“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies explains.

The Stored XSS vulnerability was found in Magento 2.2.6 and reported in August 2018. A patch was released in November, but a bypass was found to impact Magento 2.3.0. The Phar deserialization vulnerability was reported in January and addressed in March in Magento 2.3.1, 2.2.8 and 2.1.17. The Stored XSS was patched again in Magento 2.3.2, 2.2.9 and 2.1.18.

Related: Magento Patches Critical Vulnerabilities

Related: Hacked Magento Sites Steal Card Data, Spread Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.