The vulnerability CVE-2016-4010 allows an unauthenticated attacker to execute PHP code at the vulnerable Magento server and fully compromise the shop.
The Israeli security expert Nethanel Rubin (@na7irub) has reported a critical flaw (CVE-2016-4010) in the eBay Magento e-commerce platform that could be exploited by hackers to completely compromise shops online.
The vulnerability rated 9.8/10 has been fixed with the Magento version 2.0.6 published yesterday. The fix prevents unauthenticated user or user with minimal permissions to access the platform installation code and execute arbitrary PHP code on the server.
“Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)” states the company security advisory.
The independent researcher Nethanel Rubin confirmed that attackers can execute arbitrary PHP code in unpatched systems exploiting several smaller flaws.
“The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.” reads a blog post published by Rubin .
“This vulnerability works on both the Community Edition and Enterprise Edition of the system.”
In his post, Rubin has detailed the attack chain explaining how the attacker can exploit the flaw in the Magento platform. The attack chain relies on REST or SOAP RPCs that are enable by default in the majority of installations.
“The “API” directory is made out of different PHP files, each containing one PHP class, responsible for exposing some of the module functionality to the rest of the system.” wrote Rubin. “Magento’s Web API is allowing two different RPCs – a REST RPC, and a SOAP API. Both RPCs provide the same functionality, the only difference between the two is that one is using JSON and the HTTP query string to transfer its input, while the other uses XML envelopes.
As both are enabled by default, I will use SOAP API in this document as I find it more understandable.”
Experts at Magento have spent a significant effort to release the fix in a short time, they had improved the code in a significant way.
Rubin defined the effort as a “huge step forward.”
If you are running a Magento online store you have to update it to the 2.0.6 patch asap.
(Security Affairs – Magento, CVE-2016-4010)
Source: Security Affairs @ May 18, 2016 at 04:43AM