Magento vulnerability has put 250 000 eCommerce websites under threat
DefenceCode researchers (a company that provides consulting services in the field of information security) found a vulnerability in the Magento eCommerce platform that allows hackers to upload malware to the web servers.h4>
Magento allows adding Vimeo videos in the description of a product. It is then shown as a preview image with a link to the video. When the web address of the image leads to another file (PHP scenario for example), Magento uploads this file to check it. If it is not an image, the platform will warn user that the file type is invalid, but won’t delete is from the server.
Using the new exploit, hacker will force Magento to upload a configuration .htaccess file that will allow to launch PHP from the uploads folder which will in turn launch a malicious script.
As soon as the malware gets into the server it will allow skipping authentication and can be launched with the help of a browser. Now hackers can browse through the server’s folders and get the database passwords from Magento’s configuration file. This allows malefactors to see confidential information about the clients.
This vulnerability can’t be used directly because the needed function requires authentication (the “Add Secret Key to URLs” is activated by default). It means that a hacker has to have an account on the attacked website. However, there is no need for him to have administrator’s rights, a simple user account is enough.
DefenceCode warns that a <img src=… line placed in an email or in comments on the page is enough for hackers. By clicking on it user initiates an upload of a random file if he is authorized in Magento at the moment.
Magento developers were informed about this vulnerability in November 2016, but the new updates Magento are still vulnerable to this exploit. That’s why DefenceCode recommends forbidding .htaccess files manually.
Keep in mind that Magento is used by more than 250 000 eCommerce websites and that is the reason why this platform attracts hackers.