Ebay Inc coordinated patch of 3 Magento Vulnerabilities (IVE, XSS & CSRF)

Ebay Inc coordinated patch of 3 Magento Vulnerabilities (IVE, XSS & CSRF)

During the last week the vulnerability researcher hadji samir discovered 3 vulnerabilities patched by the ebay inc security team in cooperation with magento.

The first vulnerability was located in the `filename` value of the image upload module. The attacker needs to create a `New Message` with upload to change the filename to a malicious payload. The attack vector of the issue is located on the application-side and the request method to inject the script code is POST.

A poc video has been recorded in our environment by the core team researcher hadji samir. In the video hadji demonstrates how to exploit an application-side filename validation vulnerability in connection with a upload POST method request.

Ebay Inc Magento - Persistent Upload Filename Vulnerability (Bug Bounty 2015)

Video: http://www.vulnerability-lab.com/get_content.php?id=1458

The second vulnerability was located in the `create messages` input of the `magento-connect/message/message/create/` module. Remote attackers with low privilege user accounts are able to delete internal magento messages of other users without authorization. The attacker can for example intercept the session to delete all exisiting messages. The type of issue was disclosed to the phpbb board some years ago.

Ebay Magento Bug Bounty Program 2015 - Cross Site Request Forgery Vulnerability

The third security issue reported by hadji samir was located in the `general_front` values of the `/css/theme.less.php` front-end template file. Remote attackers are able to inject own script codes to client-side application requests. The attack vector is non persistent and the request method to inject/execute is GET. The vulnerable source is located in the magento premium theme and the stable release.












Rate this article: 
Average: 5 (13 votes)

Add new comment

Plain text

  • No HTML tags allowed.