As we all know, Magento is, if not, the most popular eCommerce platform available for merchants setting up their eCommerce presence in todays ever growing online market.
Throughout time we have seen many merchants using Magento come to us for an investigation due to their online environment being breached. 90% of the time, this is due to merchants and their developers not taking the important steps of securing the eCommerce environment. However, it can also be the software providers who are at fault by leaving what is often known as a "zero day" vulnerability.
It has come to light recently that within the Magento 2 branch of the eCommerce platform there is a "zero day" vulnerability which means as many as 200,000 online retailers are susceptible to this form of attack. Magento has stated that the "zero day" vulnerability does require access to the administration area of the Magento store to be exploited, however, far too many times we see these administration areas under their default location, open to the public and prone to brute force attacks. (for tips on securing Magento please see our blog: https://www.foregenix.com/blog/magento-security-tips-keep-your-online-business-secure)
Once the attacker gains the relevant access all they need to do is upload their malicious content via the same method used to add Vimeo video content to a product description. Due to a poor validation process on Magento's behalf, if the attacker chooses a URL that points to a PHP file, the application will respond with an error due to the URL not pointing to a valid image. However, this error is only thrown after the file has been downloaded for validation. If validation fails the application doesn't remove the file from the environment but lets it sit there ready for an attacker to use.
Magento released an email on April 15th 2017 to let their customers know this issue will be addressed in the next release which is targeted for early May 2017. In the meantime Magento recommend enforcing the use of "Add Secret Key to URLs" in order to help mitigate potential attacks. In order to turn on this feature:
- Logon to Magento site admin URL (e.g. domain.com/admin)
- Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
- Select YES from the dropdown options
- Click on Save Config
More information about this "zero day" vulnerability can be found here: https://threatpost.com/high-risk-zero-day-leaves-200000-magento-merchants-vulnerable/124965/