PolyShell Vulnerability - Unauthenticated RCE in Magento Stores
Basically, a new flaw lets hackers run code on Magento stores without permission.
A new vulnerability called 'PolyShell' threatens Magento e-stores by allowing unauthorized remote code execution. This flaw affects all versions of Magento Open Source and Adobe Commerce. Immediate action is required to secure these platforms from potential attacks.
The Flaw
The newly discovered vulnerability, known as PolyShell, affects all installations of Magento Open Source and Adobe Commerce stable version 2. This flaw allows unauthenticated remote code execution (RCE), meaning attackers can execute commands on the server without needing to log in. The issue stems from how Magento's REST API handles file uploads, particularly when a product option type is set to 'file'. When this occurs, Magento processes an embedded file_info object that includes base64-encoded file data, MIME type, and filename. The problematic file is then written to the server's pub/media/custom_options/ directory.
Sansec, an eCommerce security firm, has raised alarms about this vulnerability, noting that while there are currently no signs of active exploitation, the method for exploiting this flaw is already circulating. They predict that automated attacks could commence soon, putting many Magento stores at risk.
What's at Risk
The PolyShell vulnerability can lead to serious consequences, including account takeover and stored cross-site scripting (XSS) attacks. Sansec's investigation revealed that a significant number of Magento and Adobe Commerce stores expose files in the upload directory, making them vulnerable to exploitation. The flaw is particularly concerning because it can be triggered by simply uploading a specially crafted file that acts as both an image and a script.
Magento stores that do not implement proper security measures could face severe data breaches, potentially compromising sensitive customer information and leading to significant financial losses.
Patch Status
Adobe has acknowledged the issue and released a fix, but it is currently only available in the second alpha release for version 2.4.9. This means that many production versions remain vulnerable, leaving store administrators in a precarious position. Until a stable patch is released for all versions, the risk of exploitation remains high.
Sansec has suggested that Adobe provides a sample web server configuration that could help mitigate the fallout from this vulnerability. However, many stores rely on configurations provided by their hosting providers, which may not include these protective measures.
Immediate Actions
Store administrators are urged to take immediate steps to protect their Magento installations. Here are some recommended actions:
- Restrict access to the
pub/media/custom_options/directory to prevent unauthorized file uploads. - Verify server configurations (nginx or Apache) to ensure they block access to vulnerable directories.
- Scan for uploaded shells, backdoors, or malware that may already be present on the server.
As the situation evolves, it’s crucial for Magento store owners to stay vigilant and implement these protective measures until a comprehensive patch is available.
BleepingComputer