Tag Archives: Admin

Feb200927

Darryl Adie

5

Magento CSRF Vulnerability

Yesterday, Varien publicly acknowledged the existence of a serious vulnerability in Magento, the original blog post details the methodology for this exploit.

Update: the above blog post has been taken down temporarily and the methodology will not be repeated here to protect Magento site owners. Needless to say the main exploit allowed access and execution to certain admin panel URLs without authentication and all too simply.

Varien, have suggested merely changing the URL for the admin panel, however, as others have noted this solution is merely “security through obscurity” and not a real solution. For the moment though, it is better than nothing.

Further to this there is an unofficial patch on a French Magento forum (summarised below) for the XSS vulnerabilities relating to the admin panel.

This outlines 3 key XSS vulnerabilities:

  1. Login page vulnerability. Enter: "username": "> <script> alert (123) </script> into the username box and any password to demonstrate this
  2. Vulnerability on forgot password page. Enter: "> <script> alert (123) </script> on the forgot username/password page
  3. The most dangerous of the three XSS vulnerabilities found to date, navigate here in your Magento store: yourmagentosite.com/download/?return=%22%3Cscript%3Ealert (123)%3C/script%3E

The returning of 123 may seem innocuous however, it is this ability to replace ‘123′ with server side calls that poses a threat to the security of your Magento store. Particularly the third example, what follows is a hypothetical example put forward on a French blog and translated here:

For example, a simple fakemail (identity theft) will allow the attacker to send a link bomb, containing harmful and adapted Javascript, which will control the next action to be performed. The idea is simple, the mail has a link back to normal, the link actually contains XSS and therefore listening Javascript keyboard (for example) and then you logged … Lost.

Write fakemail is paragraph 1 of Chapter 1 of the handbook of the pirate. You can even do it by changing your name in outlook, it is declarative … I can send you a mail from neil.amstrong @ lune.org in 10 seconds. So if a hacker pretends to be the boss of the box and request by email to the person in charge of the back to connect (link in the mail) and to monitor sales, you think it will do what the person question?

It is a very simple attack to carry out very dangerous and there, the script kiddie can take control of your backoffice.

Translation from Wikigento Post [FR].

First and foremost, move your admin panel by editing:

?Download local.xml
1
2
3
4
5
6
7
8
9

<admin>
        <routers>
            <adminhtml>
                <args>
                    <frontName><![CDATA[somethingelse]]></frontName>
                </args>
            </adminhtml>
        </routers>
     </admin>

If you cannot find this XML tree in your local.xml (as I could not for one of my clients) nest the above inside the <config> tags (the same level as <global>.

Delete your cache, easiest way is it open up var/cache/ and delete all the contents of the folder. Then use the new login URL and you should be done! This will protect you from the main CSRF vulnerability uncovered by Artisan System mentioned above.

To protect against the 3 XSS vulnerabilities above make the following changes:

downloader\Mage\Model\Session.php
Line 58

?Download Session.php
1
2
3

if (!empty($_GET['return'])) {
$this->set('return_url', htmlentities($_GET['return']));
}

app\design\adminhtml\default\_your_theme_name\template\login.phtml
Line 54

?Download login.phtml
1

value="<?php echo htmlentities($username) ?>"

app\design\adminhtml\default\_your_theme_name\template\forgotpassword.phtml
Line 57

?Download forgotpassword.phtml
1

value="<?php echo htmlentities($email) ?>"

And you’re done! Another Magento disaster temporarily averted!

For the moment, any worried Magento administrators who would like this temporary solution applied to their store, are welcome to get in contact.

Feb200924

Darryl Adie

0

Using Magento as a Checkout, Payment and Admin System

So, you want to use the Checkout, Payment and Admin facilities but not the catalog? Well here’s a quick and painless solution.

If you have a set list of products then build the product list in the Magento back office, a previous post covers creating Magento products dynamically.

Once you have the products, all that is required is to add the products to the cart. The simplest way to do this is to feed two variables into the cart, SKU and Quantity:

?Download AddMageProductToCart.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

include_once '../app/Mage.php';
Mage::app();
 
Mage::getSingleton('core/session', array('name' => 'frontend'));
 
$sku = $_POST['sku'];
if (!isset($_POST['qty']) || (!is_int($_POST['qty']))) 
    { 
        $qty = 1; 
    } 
    else 
    {
        $qty = $_POST['qty']; 
    }
 
$productid = Mage::getModel('catalog/product')->getIdBySku($sku);
 
header("Location: /checkout/cart/add/product/".$productid."/qty/".$qty."/");

Your customer has then bypassed a Magento catalog but still checkouts using the Magento system and the admin can still make use of the excellent backoffice system.

Any comments or queries welcome.