The popular e-commerce platform, Magento which is widely used by more than 250,000 merchants worldwide, is now affected by a very serious vulnerability which can be exploited to hijack online stores, as the researchers warned.
This flaw was found by the DefenseCode back in November and they have reported this to Magento through the company’s Bugcrowd-based bug bounty program. The vendor has been informed about the seriousness of this issue but they still haven’t addressed it. After their attempts to obtain a status update on this vulnerability failed, the DefenseCode has decided to make its findings public.
The vulnerability is linked to a feature which allows users to add Vimeo video content to an existing product. When such a video is added, Magento will automatically retrieve a preview image through a POST request.
The request method can be tweaked from POST to GET, allowing the attacker to launch a cross-site request forgery (CSRF) attack and then upload an arbitrary file. Even though the invalid image files are not allowed, the file is still saved on server before it is validated.
The location of this file can be easily determined, enabling an attacker to upload a malicious PHP script to this server. In order to achieve a remote code execution, the attacker also has to upload a .htaccess file to the very same directory.
For the attack to work, a hacker has to convince a user with the access to the shop’s administration panel, regardless of their permissions and role, to access a specially crafted web page which triggers the CSRF attack.
The researchers have warned that successful exploitation of this vulnerability can allow an attacker to take complete control of a targeted system, including gain access to sensitive customer information stored in the compromised store’s database.
The latest security updates were released by Magento developers in February when they addressed a critical remote code execution vulnerability that allegedly affected only a few systems.