CP
cyberpings
VulnerabilitiesCRITICAL

Magento Vulnerability - Unauthenticated RCE and Account Takeover

THThe Hacker News
MagentoRemote Code ExecutionAdobe CommercePolyShellREST API
🎯

Basically, a flaw in Magento lets hackers upload harmful files without permission.

Quick Summary

A critical vulnerability in Magento's REST API allows unauthenticated uploads, leading to remote code execution. All versions up to 2.4.9-alpha2 are affected. Store owners must act quickly to secure their systems.

The Flaw

Sansec has identified a critical vulnerability in Magento's REST API, dubbed PolyShell. This flaw allows unauthenticated attackers to upload arbitrary files, including malicious executables, to the server. The vulnerability arises from how Magento processes file uploads associated with product options. When a product option is set to type 'file', Magento accepts a base64-encoded file, which can be disguised as an image. This means attackers can bypass security measures and execute harmful code remotely.

The flaw affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2. Although there is currently no evidence of exploitation in the wild, the potential for misuse is significant. If exploited, attackers could achieve remote code execution (RCE) or perform account takeovers through stored cross-site scripting (XSS).

What's at Risk

The unrestricted file upload vulnerability poses a severe risk to e-commerce storefronts using Magento. If attackers successfully upload a malicious file, they can execute arbitrary code on the server. This could lead to data breaches, loss of customer trust, and significant financial repercussions. The situation is exacerbated by the fact that many Magento installations operate with custom server configurations, which may not implement the recommended security measures.

The Dutch security firm Sansec has pointed out that while Adobe has addressed the issue in the pre-release branch, current production versions remain vulnerable without an isolated patch. This leaves a large number of stores exposed to potential attacks.

Patch Status

Adobe has acknowledged the vulnerability and implemented a fix in the 2.4.9 pre-release branch as part of APSB25-94. However, this does not extend to all production versions, leaving many users at risk. Sansec advises that even with the patch, the effectiveness relies heavily on the server's configuration.

To mitigate risks, it is crucial for store owners to restrict access to the upload directory, which is located at pub/media/custom_options/. Additionally, ensuring that web server rules (for both nginx and Apache) prevent unauthorized access to this directory is essential.

Immediate Actions

E-commerce businesses should take immediate steps to protect themselves from this vulnerability. Here are some recommended actions:

  • Restrict access to the upload directory to prevent unauthorized file uploads.
  • Verify server configurations to ensure that they block access to the directory.
  • Conduct thorough scans of the stores for web shells, backdoors, and other malware.

It's important to note that simply blocking access does not prevent uploads. Therefore, using a specialized Web Application Firewall (WAF) is highly recommended to provide an additional layer of security against such vulnerabilities. Taking these precautions can significantly reduce the risk of exploitation and protect sensitive customer data.

🔒 Pro insight: The PolyShell flaw highlights the need for robust file upload controls in e-commerce platforms to prevent RCE and account takeovers.

Original article from

The Hacker News

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Critical Jenkins Vulnerabilities - Expose CI/CD Servers to RCE

A critical security advisory warns of multiple high-severity vulnerabilities in Jenkins. These flaws could allow attackers to execute arbitrary code, compromising CI/CD pipelines. Administrators must act quickly to patch these vulnerabilities to safeguard their systems.

Cyber Security News·
HIGHVulnerabilities

iOS Update Urged as Coruna and DarkSword Exploit Kits Emerge

Apple warns iPhone users to update iOS to fend off new exploit kits. Coruna and DarkSword pose serious risks by stealing sensitive data. Stay safe by updating your device now!

Security Affairs·
CRITICALVulnerabilities

Cisco Firewall 0-Day - Critical Ransomware Exploited

CISA has issued a critical warning about a zero-day vulnerability in Cisco firewalls. This flaw is actively exploited in ransomware campaigns, putting enterprises at risk. Immediate patching is essential to prevent severe operational disruptions.

Cyber Security News·
CRITICALVulnerabilities

Langflow Vulnerability - Critical Bug Exploited in Hours

A critical vulnerability in Langflow was exploited within 20 hours of its disclosure. Attackers executed arbitrary code without needing authentication, putting sensitive data at risk. Organizations must act quickly to secure their systems and protect against potential breaches.

Infosecurity Magazine·
HIGHVulnerabilities

Bamboo Data Center - High-Risk Remote Code Execution Flaw

A critical vulnerability in Bamboo Data Center allows attackers to execute remote code, threatening software development processes. Immediate patching is essential to secure your systems and prevent exploitation.

Cyber Security News·
HIGHVulnerabilities

Vulnerabilities - Unpatched ScreenConnect Servers Open to Attack

ConnectWise has patched a critical vulnerability in ScreenConnect that allows session hijacking. Organizations using this remote access tool must upgrade to protect sensitive data. Immediate action is essential to prevent exploitation.

Help Net Security·