Q
Manage Learn to apply best practices and optimize your operations.

How does a Magento Community Edition flaw allow remote attacks?

As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw.

DefenseCode researchers found a zero-day remote code execution vulnerability in a version of the open source Magento...

Community Edition ecommerce platform, placing up to 200,000 online retailers at risk. The vulnerability enables cross-site request forgery (CSRF) for image requests. How can an attacker exploit this vulnerability, and what mitigation steps do you recommend? Has the flaw been patched yet?

Nick Lewis: Open source software like the Magento Community Edition ecommerce platform can have significant benefits, starting with the ability to have many eyes looking at code so most bugs can be shallow, but assuming it or any software is secure is a recipe for a security incident. If you are processing sensitive data for e-commerce transactions using credit cards, this could lead to a data breach. Many bugs are only found as a result of software reviews or pen-tests performed by consulting companies, which notify their clients of potential security issues in their software or their operational environments. These consulting companies may then also report their findings to software vendors to remediate, release an advisory to insure that others using the software are aware of the issue -- and also to highlight their own information security expertise. 

In April 2017, DefenseCode, the application security testing software company based in Dublin, released a security advisory for a serious remote code execution vulnerability in open source Magento Community Edition ecommerce platform; a patch was published in May 2017. The security advisory explained that the software had a remote code execution vulnerability in the video upload functionality. If a malicious URL was used for a video, the file would be uploaded to a predictable location on the web server and allow the file to be executed on the web server. This could be triggered via a cross-site request forgery when an admin user is logged in and clicks on a malicious link.

At the least, mitigation steps include applying the Magento Community Edition patch and hardening the web server so that uploaded files can't be executed; also important is to be sure the web server is running as a restricted user (not as root). Magento has security best practices that users should review to ensure they have implemented them in their environment. Enterprises may want to use code review tools like static or dynamic code analysis along with pen-testing to identify vulnerabilities in high value assets.

Next Steps

Find out whether an open source architecture is a security benefit or threat

Read about Operation Rosehub, Google's grass roots open source patching program

Learn about security issues in open source development frameworks

This was last published in September 2017

Dig Deeper on Web server threats and application attacks

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you make sure open source software in your organization is patched and secure?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close