Unpatched PHP Flaw in E-Commerce Platform Leaves 200,000 Sites Vunerable

- April 14, 2017

Magento, which tops the list of available e-commerce platforms, has a cross-site request forgery (CSRF) vulnerability that allows attackers to execute PHP code and even backdoor retailer sites.

Researchers from the security research firm DefenseCode publicly disclosed the cross site reference vulnerability in the platform yesterday, stating that exploiting the vulnerability could allow attackers to steal passwords and even customer payment information from sensitive databases.

Magento is a popular platform that serves more than 200,000 retailers and e-commerce sites by giving them a flexible shopping cart system and even marketing, SEO and cataloguing tools.

The flaw report lies within Magento’s video plugin to grab Vimeo content. When serving a POST request, the application with automatically pull a preview image. The researchers with DefenseCode say the POST request can be changed to a GET request and point to an invalid image URL, like a PHP file. The application will then throw an “invalid” error, but still download the file.

A good thing to note is attackers would need prior access to the Magento user panel in order to execute this attack, but any level of access would do; attackers do not need full administrator privileges.

The researchers say that the vulnerability can be mitigated by using the “Add Secret Key to URLs,” which randomizes the image URL and prevents the CSRF exploit. Researchers suggest all merchants using Magento enable that option until the company can issue a patch.