Multiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution

ITS Advisory Number: 
2016-018
Date(s) Issued: 
Wednesday, January 27, 2016
Subject: 
Multiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the Magento eCommerce platform that could allow remote code execution. Magento Commerce is a company that provides eCommerce solutions to allow merchants to do business transactions over the Internet. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Magento Community Edition (CE) prior to 1.9.2.3
  • Magento Enterprise Edition (EE) prior to 1.14.2.3
  • Magento 2 CE & EE prior to 2.0.1 
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Multiple vulnerabilities have been discovered in the Magneto eCommerce platform that could allow remote code execution. Successful exploitation of these vulnerabilities could grant the attacker administrative access over the eCommerce platform and lead to remote code execution. Details of these vulnerabilities are as follows:

  • Multiple stored cross-site scripting vulnerabilities exist that could allow for hijacking the administrator account and lead to remote code execution. (APPSEC-1213, APPSEC-1214, APPSEC-1239, APPSEC-1260, APPSEC-1267, APPSEC-1263, and APPSEC-1276)
  • A reflected cross-site scripting vulnerability exists that could allow attackers to execute phishing or spam campaigns. (APPSEC-1255)
  • Multiple cross-site forgery vulnerabilities exist that could lead users/administrators to unintentionally delete items from shopping carts or execute server-side actions. (APPSEC-1179, APPSEC-1206, and APPSEC-1212)
  • A vulnerability exists that allows CAPTCHA bypassing that could allow brute-force password guessing and/or increase the risk of spam. (APPSEC-1283)
  • Multiple information leakage vulnerabilities exist that could allow for leakage of sensitive customer data. (APPSEC-1171, APPSEC-1247, and APPSEC-1270)
  • A vulnerability exists that allows any user to edit or delete product reviews. (APPSEC-1268)
  • An SQL injection vulnerability exists that could lead the attacker to download sensitive parts of the Magento database. (APPSEC-1294)

Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Apply appropriate updates provided by Magento Commerce to vulnerable systems, immediately after appropriate testing.
  • Review log files to determine if the identified vulnerabilities were exploited, and remediate per your security policy and procedures.