Magento CSRF Vulnerability

Yesterday, Varien publicly acknowledged the existence of a serious vulnerability in Magento, the original blog post details the methodology for this exploit.

Varien, have suggested merely changing the URL for the admin panel, however, as others have noted this solution is merely “security through obscurity” and not a real solution. For the moment though, it is better than nothing.

Further to this there is an unofficial patch on a French Magento forum (summarised below) for the XSS vulnerabilities relating to the admin panel.

This outlines 3 key XSS vulnerabilities:

1. Login page vulnerability. Enter: "username": "> <script> alert (123) </script> into the username box and any password to demonstrate this
2. Vulnerability on forgot password page. Enter: "> <script> alert (123) </script> on the forgot username/password page
3. The most dangerous of the three XSS vulnerabilities found to date, navigate here in your Magento store: yourmagentosite.com/download/?return=%22%3Cscript%3Ealert (123)%3C/script%3E

The returning of 123 may seem innocuous however, it is this ability to replace ‘123′ with server side calls that poses a threat to the security of your Magento store. Particularly the third example, what follows is a hypothetical example put forward on a French blog and translated here:

For example, a simple fakemail (identity theft) will allow the attacker to send a link bomb, containing harmful and adapted Javascript, which will control the next action to be performed. The idea is simple, the mail has a link back to normal, the link actually contains XSS and therefore listening Javascript keyboard (for example) and then you logged … Lost.

Write fakemail is paragraph 1 of Chapter 1 of the handbook of the pirate. You can even do it by changing your name in outlook, it is declarative … I can send you a mail from neil.amstrong @ lune.org in 10 seconds. So if a hacker pretends to be the boss of the box and request by email to the person in charge of the back to connect (link in the mail) and to monitor sales, you think it will do what the person question?

It is a very simple attack to carry out very dangerous and there, the script kiddie can take control of your backoffice.

Translation from Wikigento Post [FR].

First and foremost, move your admin panel by editing:

1
2
3
4
5
6
7
8
9

<admin>
        <routers>
            <adminhtml>
                <args>
                    <frontName><![CDATA[somethingelse]]></frontName>
                </args>
            </adminhtml>
        </routers>
     </admin>

If you cannot find this XML tree in your local.xml (as I could not for one of my clients) nest the above inside the <config> tags (the same level as <global>.

Delete your cache, easiest way is it open up var/cache/ and delete all the contents of the folder. Then use the new login URL and you should be done! This will protect you from the main CSRF vulnerability uncovered by Artisan System mentioned above.

To protect against the 3 XSS vulnerabilities above make the following changes:

downloader\Mage\Model\Session.php
Line 58

1
2
3

if (!empty($_GET['return'])) {
$this->set('return_url', htmlentities($_GET['return']));
}

app\design\adminhtml\default\_your_theme_name\template\login.phtml
Line 54

1

value="<?php echo htmlentities($username) ?>"

app\design\adminhtml\default\_your_theme_name\template\forgotpassword.phtml
Line 57

1

value="<?php echo htmlentities($email) ?>"

And you’re done! Another Magento disaster temporarily averted!

For the moment, any worried Magento administrators who would like this temporary solution applied to their store, are welcome to get in contact.