Connect with us

Hi, what are you looking for?



Magento Patches Flaws Leading to Site Takeover

Magento recently addressed vulnerabilities that could be exploited by unauthenticated attackers to hijack administrative sessions and then completely take over vulnerable web stores.

Magento recently addressed vulnerabilities that could be exploited by unauthenticated attackers to hijack administrative sessions and then completely take over vulnerable web stores.

For a successful attack, a threat actor would first have to exploit a Stored Cross-Site Scripting (XSS) flaw to inject a JavaScript payload into the administrator backend of a Magento store. After hijacking the session from an employee, the attacker would then exploit an authenticated Remote Code Execution (RCE) bug to completely compromise the store.

“The attacker could then cause financial harm to the company running the store. For example, the attacker could redirect all payments to his bank account or steal credit card information,” Germany-based security firm RIPS Technologies reveals.

The vulnerabilities can be exploited if the store uses the built-in, core Authorize.Net payment module, as the issue resides in Magento’s implementation of this credit card payment processing solution. The popular module is used in many Magento stores and automation could lead to mass exploitation, the security firm says.

“We rate the severity of the exploit chain as high, as an attacker can exploit it without any prior knowledge or access to a Magento store and no social engineering is required,” RIPS Technologies notes.

The first issue is an unauthenticated Stored XSS in the cancellation note of a new product order, resulting from a bypass for the escapeHtmlWithLinks() sanitization method.

Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the <i> tag, which allows for an attribute injection.

Advertisement. Scroll to continue reading.

“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.

Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.

The payload could be used to hijack the employee’s authenticated session, allowing the attacker to then exploit a Phar deserialization vulnerability within the controller responsible for rendering images within the WYSIWYG editor.

“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies explains.

The Stored XSS vulnerability was found in Magento 2.2.6 and reported in August 2018. A patch was released in November, but a bypass was found to impact Magento 2.3.0. The Phar deserialization vulnerability was reported in January and addressed in March in Magento 2.3.1, 2.2.8 and 2.1.17. The Stored XSS was patched again in Magento 2.3.2, 2.2.9 and 2.1.18.

Related: Magento Patches Critical Vulnerabilities

Related: Hacked Magento Sites Steal Card Data, Spread Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.