Salam, Hello, Nekhaw, Selamat Datang, Komastaka, Aregato, Ciao, Merhaba, Swadi Kup, Namaste, Kak Gatokha Bratokha 😀
Wherever you are from, Welcome to this blog post about a Remote Code Execution Vulnerability that affects the most popular shopping application on the internet –> #Magento
The case started when i found below sub-domain for Magento.com website: http://lavender.dev.magento.com/
As you can see it is a development server, after some crawling i found below directory:
http://lavender.dev.magento.com/GitHub/setup/ ( The “GitHub/” directory is the folder where they are installing Magento, And the “Setup/” is the application installation directory )
It was the installation folder for Magento application, However, After clicking Next, Next:
Important Note: in the installation process, Magento allows you to name your admin login page as you like, you can name it admin or cpanel or whatever!
Anyway, I reached below URL which is used to configure a database for Magento to use: http://lavender.dev.magento.com/GitHub/setup/#/add-database
So, I submitted any bogus data as a database credentials, and i got below error:
As you can see, the database triggered error because it can’t connect to the bogus IP i provided in the previous step, But wait! also the credentials i provided is reflected inside the page!
So here is the scenario to trigger the RCE:
1- I will provide a bogus ip so the database will through an error, and that error will be reflected in the “Admin” page i created.
2- Because i can rename the admin panel to whatever, so i will rename it to “zigoo.php”, now the error will be inserted into “zigoo.php” page.
3- Since the data i provided in the db username and password inputs are reflected in the “.php” page, i will inject a PHP code inside the username & password fields.
That said, i will add php code “<?phpinfo();?>” in the username & password field, rename the admin panel to be “zigoo.php” and add bogus ip in the “Database Server Host” field as below:
Now let’s try a small test first, i will rename the admin panel to be “zigoo1.php” to see if it works or not:
Works fine as expected, now i will inject the php codes inside the other inputs as below:
And Pingo! RCE triggered and the php code “<?phpinfo();?>” worked like a charm!
To fix this vulnerability in your website, just make sure that the installation files/drectory are DELETED or at least renamed.
This vulnerability has been reported to Magento team on: 09/Nov/2014
That time, Paypal and Magento were still the same BBP, However, I got the first response from Magento on: 11/11/2014
Emails going back and forth until i received an Email from the team on: Jul 2, 2015 at 9:52 AM (after 9 months) that the bug is not yet fixed as Highlighted below:
After that time, i sent an Email in the same month and another and so on, i didn’t receive any response for over 3 months:
Untill i fedup with this! so i decided to search for Magento security Employees on linkedIn to message them about the issue!!!!!
However, I found someone from Magento team, after i explained the issue to him, he escelated the issue, and finally on 24/10/2015 i got a response that they will handle this issue and the rest of bounty will be sent next week.
Finally i received the payment on October 27, 2015 10:27:54 PM (After around 1 Year of the report)
I Emailed the team back to know why this issue took 1 year to be fixed?!
Their response were:
1- The issue were fixed on 30 June 2015 (arround 8 months)
2- The reason of no responses and delay in sending the bounty is:
As a conclusion for this long blog post:
1- This bug has been fixed now, but if you are using older version of Magento, don’t forget to remove the installation files/directory.
2- Emergency leaves happens to all of us all the time, but someone should be following up/Delegated on the P1(Priority one) reports!!!
3- The reward for this vulnerability were the “Second Tier” Application RCE reward.
4- Thanks “Mark Brinton” for your prompt help to escelate this issue 🙂