Vulnerabilities - PolyShell Flaw Exposes Magento to Attacks
Basically, a flaw lets hackers upload harmful files to online stores without permission.
A critical flaw in Magento and Adobe Commerce allows unauthorized file uploads, risking XSS attacks. Many online stores are affected, highlighting the urgent need for security measures. Immediate action is essential to protect sensitive data and maintain operational integrity.
The Flaw
Sansec has uncovered a critical vulnerability in the Magento and Adobe Commerce REST API, dubbed PolyShell. This flaw permits unauthenticated file uploads, which can lead to serious security risks, including cross-site scripting (XSS) attacks. The issue affects versions of Magento up to 2.4.9-alpha2 and has existed since the initial release of Magento 2. The vulnerability allows attackers to upload executable files without any authentication, making it a significant threat to online stores.
The name PolyShell refers to the use of a polyglot, which is code disguised as an image. The vulnerability arises from how Magento's REST API processes file uploads through cart item options. By accepting base64-encoded data, the API saves these files to a server directory, which can be exploited by attackers. Notably, the GraphQL API is unaffected, as it utilizes a different, secure code path.
What's at Risk
The implications of this vulnerability are severe. Many online stores, especially those running custom configurations, are at risk of remote code execution (RCE) or account takeover through stored XSS. The flaw allows malicious files to remain on disk, posing a risk even if execution is initially blocked. As a result, many Magento-powered e-commerce sites could be compromised if the vulnerability is not addressed promptly.
Adobe has acknowledged the issue and has fixed it in the pre-release version 2.4.9 but has not provided a standalone patch for current production versions. This leaves many stores vulnerable, as they may not have the latest updates applied. The lack of an immediate fix means that organizations must take proactive measures to mitigate the risk.
Patch Status
Currently, there is no isolated patch available for the vulnerable production versions of Magento. Adobe has provided guidelines to reduce risk, including server configuration suggestions. However, many stores operate under custom setups that may leave upload directories exposed. As a result, organizations should consider implementing a Web Application Firewall (WAF) to block potential attacks in real-time and restrict access to upload directories through proper server configurations.
It’s crucial to note that merely blocking access does not prevent malicious uploads. Active protection is essential to safeguard against this vulnerability. Sansec has reported that while there hasn't been active exploitation observed yet, the exploit is circulating, and automated attacks are likely to emerge soon.
Immediate Actions
Given the urgency of this situation, organizations using Magento or Adobe Commerce should take immediate action. Here are some recommended steps:
- Implement a WAF to monitor and block suspicious activity.
- Restrict access to upload directories through server configurations.
- Regularly scan systems for signs of compromise.
- Stay updated on Adobe’s communications regarding patches and fixes.
Magento-powered e-stores are prime targets for hackers, as evidenced by a recent campaign that defaced over 7,500 Magento sites. This highlights the importance of addressing vulnerabilities like PolyShell swiftly to protect sensitive data and maintain the integrity of online businesses.
Security Affairs