websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

DefenseCode Security Advisory: Magento Commerce CSRF, Stored Cross Site Scripting #2

D
DefenseCode
Thu, Oct 5, 2017 9:44 AM

             DefenseCode Security Advisory
    Magento Commerce CSRF, Stored Cross Site Scripting

Advisory ID: DC-2017-09-002
Advisory Title: Magento CSRF, Stored Cross Site Scripting
Advisory URL:
http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf

Software: Magento Commerce, CE
Software Language: PHP
Version: Magento CE 1 prior to 1.9.3.6, Magento Commerce prior to
1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Vendor Status: Vendor contacted / Fixed
Release Date: 2017-10-04
Risk: Medium

  1. General Overview
    ===================
    During the security audit of Magento Community Edition / Open Source and
    Commerce, a Cross-site Request Forgery and Stored Cross-Site Scripting
    vulnerabilities were discovered that could lead to administrator account
    takeover, putting the website customers and their payment information at
    risk.

  2. Software Overview
    ====================
    Magento is an ecommerce platform built on open source technology which
    provides online merchants with a flexible shopping cart system, as well
    as control over the look, content andfunctionality of their online store.
    Magento offers powerful marketing, search engine optimization, and
    catalog-management tools. It is a leading enterprise-class eCommerce
    platform, empowering over 200,000 online retailers.

Homepage:
http://www.magento.com

  1. Vulnerability Description

---=
There is a Cross-Site Request Forgery vulnerability present in Newsletter
Templates when a POST request is changed to GET on saving changes on
existing or adding new templates (/newsletter/template/save/). When the
request method is switched, the lack of form_key parameter which serves as
a CSRF token is completely ignored.

Considering that Newsletter templates accept HTML code, a malicious
JavaScript code can be saved as a template and previewed on
/newsletter/template/preview/id/1/
An attacker can chain a CSRF attack to redirecting an admin to the preview
page. Malicious code may lead to admin session hijacking (although the
admin SID cookie is set to HttpOnly, there are number of ways to retrieve
the admin SID on Magento that do not require cookies). Prerequisite to this
attack is that "Add Secret Keys to URLs" option is disabled.

Proof of concept CSRF + Stored Cross-Site Scripting attack can be seen here:
http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf

  1. Solution
    ===========
    Vendor fixed the reported security issues and released a new version in
    September 2017. All users are strongly advised to update to the latest
    available version.
    https://magento.com/security/patches/magento-2016-and-219-security-update

  2. Credits
    ==========
    Discovered by Bosko Stankovic (bosko@defensecode.com)

 
6. Disclosure Timeline

05/05/2017    Vendor contacted
09/14/2017    Issue fixed, patch released
10/04/2017    Advisory released to the public

  1. About DefenseCode
    ====================
    DefenseCode L.L.C. delivers products and services designed to analyze
    and test web, desktop and mobile applications for security
    vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .
Magento CSRF, Stored Cross Site Scripting

Advisory ID: DC-2017-09-002
Advisory Title: Magento CSRF, Stored Cross Site Scripting
Advisory URL:
http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf

Software: Magento Commerce, CE
Software Language: PHP
Version: Magento CE 1 prior to 1.9.3.6, Magento Commerce prior to
1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Vendor Status: Vendor contacted / Fixed
Release Date: 2017-10-04
Risk: Medium

  1. General Overview
    ===================
    During the security audit of Magento Community Edition / Open Source and
    Commerce, a Cross-site Request Forgery and Stored Cross-Site Scripting
    vulnerabilities were discovered that could lead to administrator account
    takeover, putting the website customers and their payment information at
    risk.

  2. Software Overview
    ====================
    Magento is an ecommerce platform built on open source technology which
    provides online merchants with a flexible shopping cart system, as well
    as control over the look, content andfunctionality of their online store.
    Magento offers powerful marketing, search engine optimization, and
    catalog-management tools. It is a leading enterprise-class eCommerce
    platform, empowering over 200,000 online retailers.

Homepage:
http://www.magento.com

  1. Vulnerability Description

---=
There is a Cross-Site Request Forgery vulnerability present in Newsletter
Templates when a POST request is changed to GET on saving changes on
existing or adding new templates (/newsletter/template/save/). When the
request method is switched, the lack of form_key parameter which serves as
a CSRF token is completely ignored.

Considering that Newsletter templates accept HTML code, a malicious
JavaScript code can be saved as a template and previewed on
/newsletter/template/preview/id/1/
An attacker can chain a CSRF attack to redirecting an admin to the preview
page. Malicious code may lead to admin session hijacking (although the
admin SID cookie is set to HttpOnly, there are number of ways to retrieve
the admin SID on Magento that do not require cookies). Prerequisite to this
attack is that "Add Secret Keys to URLs" option is disabled.

Proof of concept CSRF + Stored Cross-Site Scripting attack can be seen here:
http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf

  1. Solution
    ===========
    Vendor fixed the reported security issues and released a new version in
    September 2017. All users are strongly advised to update to the latest
    available version.
    https://magento.com/security/patches/magento-2016-and-219-security-update

  2. Credits
    ==========
    Discovered by Bosko Stankovic (bosko@defensecode.com)

 
6. Disclosure Timeline

05/05/2017    Vendor contacted
09/14/2017    Issue fixed, patch released
10/04/2017    Advisory released to the public

  1. About DefenseCode
    ====================
    DefenseCode L.L.C. delivers products and services designed to analyze
    and test web, desktop and mobile applications for security
    vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .

             DefenseCode Security Advisory     Magento Commerce CSRF, Stored Cross Site Scripting Advisory ID: DC-2017-09-002 Advisory Title: Magento CSRF, Stored Cross Site Scripting Advisory URL: http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf Software: Magento Commerce, CE Software Language: PHP Version: Magento CE 1 prior to 1.9.3.6, Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 Vendor Status: Vendor contacted / Fixed Release Date: 2017-10-04 Risk: Medium 1. General Overview =================== During the security audit of Magento Community Edition / Open Source and Commerce, a Cross-site Request Forgery and Stored Cross-Site Scripting vulnerabilities were discovered that could lead to administrator account takeover, putting the website customers and their payment information at risk. 2. Software Overview ==================== Magento is an ecommerce platform built on open source technology which provides online merchants with a flexible shopping cart system, as well as control over the look, content andfunctionality of their online store. Magento offers powerful marketing, search engine optimization, and catalog-management tools. It is a leading enterprise-class eCommerce platform, empowering over 200,000 online retailers. Homepage: http://www.magento.com 3. Vulnerability Description ================================== There is a Cross-Site Request Forgery vulnerability present in Newsletter Templates when a POST request is changed to GET on saving changes on existing or adding new templates (/newsletter/template/save/). When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored. Considering that Newsletter templates accept HTML code, a malicious JavaScript code can be saved as a template and previewed on /newsletter/template/preview/id/1/ An attacker can chain a CSRF attack to redirecting an admin to the preview page. Malicious code may lead to admin session hijacking (although the admin SID cookie is set to HttpOnly, there are number of ways to retrieve the admin SID on Magento that do not require cookies). Prerequisite to this attack is that "Add Secret Keys to URLs" option is disabled. Proof of concept CSRF + Stored Cross-Site Scripting attack can be seen here: http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf 4. Solution =========== Vendor fixed the reported security issues and released a new version in September 2017. All users are strongly advised to update to the latest available version. https://magento.com/security/patches/magento-2016-and-219-security-update 5. Credits ========== Discovered by Bosko Stankovic (bosko@defensecode.com)   6. Disclosure Timeline ====================== 05/05/2017    Vendor contacted 09/14/2017    Issue fixed, patch released 10/04/2017    Advisory released to the public 7. About DefenseCode ==================== DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . Magento CSRF, Stored Cross Site Scripting Advisory ID: DC-2017-09-002 Advisory Title: Magento CSRF, Stored Cross Site Scripting Advisory URL: http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf Software: Magento Commerce, CE Software Language: PHP Version: Magento CE 1 prior to 1.9.3.6, Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 Vendor Status: Vendor contacted / Fixed Release Date: 2017-10-04 Risk: Medium 1. General Overview =================== During the security audit of Magento Community Edition / Open Source and Commerce, a Cross-site Request Forgery and Stored Cross-Site Scripting vulnerabilities were discovered that could lead to administrator account takeover, putting the website customers and their payment information at risk. 2. Software Overview ==================== Magento is an ecommerce platform built on open source technology which provides online merchants with a flexible shopping cart system, as well as control over the look, content andfunctionality of their online store. Magento offers powerful marketing, search engine optimization, and catalog-management tools. It is a leading enterprise-class eCommerce platform, empowering over 200,000 online retailers. Homepage: http://www.magento.com 3. Vulnerability Description ================================== There is a Cross-Site Request Forgery vulnerability present in Newsletter Templates when a POST request is changed to GET on saving changes on existing or adding new templates (/newsletter/template/save/). When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored. Considering that Newsletter templates accept HTML code, a malicious JavaScript code can be saved as a template and previewed on /newsletter/template/preview/id/1/ An attacker can chain a CSRF attack to redirecting an admin to the preview page. Malicious code may lead to admin session hijacking (although the admin SID cookie is set to HttpOnly, there are number of ways to retrieve the admin SID on Magento that do not require cookies). Prerequisite to this attack is that "Add Secret Keys to URLs" option is disabled. Proof of concept CSRF + Stored Cross-Site Scripting attack can be seen here: http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdf 4. Solution =========== Vendor fixed the reported security issues and released a new version in September 2017. All users are strongly advised to update to the latest available version. https://magento.com/security/patches/magento-2016-and-219-security-update 5. Credits ========== Discovered by Bosko Stankovic (bosko@defensecode.com)   6. Disclosure Timeline ====================== 05/05/2017    Vendor contacted 09/14/2017    Issue fixed, patch released 10/04/2017    Advisory released to the public 7. About DefenseCode ==================== DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ .