Magento is an e-commerce platform written in PHP. It provides online traders with a flexible shopping cart system, as well as control over the appearance, content and functionality of their online store. It also offers a strong marketing, search engine optimization, and catalog-management tools.
A security researcher from DefenseCode has released proof-of-concept (PoCs) code for 2 CSRF (Cross-Site Request Forgery) and stored XSS (Cross-site scripting) flaws affecting a number of versions of Magento.
The exploitation of these vulnerabilities could lead to administrator account takeover and finally lead to user payment data theft.
According to defensecode:
“There is a Cross-Site Request Forgery vulnerability present in Customer Groups when a POST request is changed to GET on saving changes to existing groups (/customer/group/save/).
When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”
“There is a Cross-Site Request Forgery vulnerability present in Newsletter Templates when a POST request is changed to GET on saving changes on existing or adding new templates (/newsletter/template/save/). When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”
The flaws affect:
– Magento CE 1 prior to 1.9.3.6
– Magento Commerce prior to 1.14.3.6
– Magento 2.0 prior to 2.0.16
– Magento 2.1. prior to 2.1.9
If you are running one of the 200,000+ Magento stores and you haven’t yet updated your version, now it’s the time to do it.
