Foregenix' recent blog takes a different approach with regards to updating us on known vulnerabilities and exploits. This article focuses on a known vulnerability, dubbed ‘Froghopper’, that allows an attacker to upload malicious code to a web server and breach the eCommerce environment by using the Magento administration area.

“But”, I hear you ask, “Don’t you need to log into the administration panel first?”. Yes, yes you do!

In many of the forensic cases that Foregenix investigate, we see time and time again that a merchant’s website has some form of login page exposed to the public; whether it be the Magento admin login, Magento downloader or one of the three RSS feeds available that all provide an administration login portal. This provides an attacker with all they need to start making their way into the Magento administration area. The article contains some very interesting points regarding both reconnaissance and attack methodologies (such as ‘dictionary attacks’) that are often used by attackers to firstly identify a Magento environment and then breach it.

Once the attacker is into the environment they simply need to activate a Magento developer function “Allow Symlinks” for Magento Newsletter templates (found within System -> Configuration -> Developer) before uploading their malicious file. There are several functions within the administration panel that expose this feature but in several attacks the Foregenix forensic analysts have seen, the attackers have uploaded a file by attaching an image to a Magento product category. Now that the malicious image has been uploaded to the web server the attacker simply needs to create and generate themselves a newsletter. The Magento system allows the administrator to include blocks of template code into their newsletters by using code similar to the following:

{{block type=’core/template’ template=’path to the desired template’}}

By pointing the template to the malicious image file previously uploaded, the system will run our malicious code. Under normal circumstances Magento would reject this path, but because the attacker previously enabled the “Allow Symlinks” option, it is accepted. This will load the template and include any template blocks in the preview page including the malicious file. Because this template file is being interpreted by the PHP interpreter and not as an image, the raw code is activated and (in many instances in the past) a new file containing the code for a web shell is created on the server. 

The “Froghopper” vulnerability was reported to Magento by Foregenix following the principles of responsible disclosure. A patch was released in May 2017 as part of the SUPREE-9767 update to address this issue, and therefore Foregenix can now report it. It affects all versions of Magento Community Edition prior to version 1.9.3.3, and Magento Enterprise Edition prior to version 1.14.3.3. If you are running a Magento store without this patch, we would strongly advise the patch is applied sooner rather than later.

For a more in-depth review on this vulnerability and exploit, please refer to our blog.