Of late, Magento addressed susceptibilities that could be misused by unverified attackers to capture administrative sessions and then totally take over flawed web stores.

For an effective attack, a threat actor would first have to use a Stored Cross-Site Scripting (XSS) fault to inject a JavaScript payload into the administrator backend of a Magento store. After hijacking the session from an employee, the attacker would then exploit an genuine Remote Code Execution (RCE) bug to totally compromise the store.

“The attacker could then cause financial harm to the company running the store. For example, the attacker could redirect all payments to his bank account or steal credit card information,” Germany-based security firm RIPS Technologies reveals.

The susceptibilities can be exploited if the store uses the built-in, core Authorize.Netpayment module, as the issue resides in Magento’s implementation of this credit card payment processing solution. The popular module is used in many Magento stores and automation could lead to mass exploitation, the security firm says.

“We rate the severity of the exploit chain as high, as an attacker can exploit it without any prior knowledge or access to a Magento store and no social engineering is required,” RIPS Technologies notes.

The first issue is an unauthenticated Stored XSS in the cancellation note of a new product order, resulting from a bypass for the escapeHtmlWithLinks() sanitization method.

Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the <i> tag, which allows for an attribute injection.

“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.

Because the method is used to disinfect order cancellation notes, an attacker could exploit the susceptibility to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.

The payload could be used to hijack the employee’s authenticated session, allowing the attacker to then exploit a Phar deserialization susceptibility within the controller responsible for rendering images within the WYSIWYG editor.

“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies explains.

Leave a Reply

Your email address will not be published. Required fields are marked *