430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Another Magento Remote Code Execution Vulnerability

The security expert Ebrahim Hegazy has published an interesting post detailing his discovery of a new Magento Remote Code Execution Vulnerability. The popular hacker Ebrahim Hegazy (Aka Zigoo) has discovered a Remote Code Execution Vulnerability that affects the widely adopted application Magento. The experts was analyzing the Magento website whe he discovered the sub-domain http://lavender.dev.magento.com/ supposedly used […]

Magento 1

The security expert Ebrahim Hegazy has published an interesting post detailing his discovery of a new Magento Remote Code Execution Vulnerability.

The popular hacker Ebrahim Hegazy (Aka Zigoo) has discovered a Remote Code Execution Vulnerability that affects the widely adopted application Magento.

The experts was analyzing the Magento website whe he discovered the sub-domain http://lavender.dev.magento.com/ supposedly used as a development server. He decided to analyze it and discovered the Magento installation folder http://lavender.dev.magento.com/GitHub/setup/

Then the hackers tried to install the applications from the folder:

Magento flaw 1

He noticed that the installation wizard allows users to name the admin login page without restriction, for example, it is possible to name it “admin” or “cpanel”.

Ebrahim used the URL http://lavender.dev.magento.com/GitHub/setup/#/add-database to configure a database for the Magento but he provided bogus database credentials in order to force an error as reported in the following image:

 

Magento flaw 2

The experts noticed that the message associated to the exception includes the credentials he has submitted.

To recap, the attack scenario to trigger the RCE is:

  1. I will provide a bogus ip so the database will through an error, and that error will be reflected in the “Admin” page i created.
  2. Because i can rename the admin panel to whatever, so i will rename it to “zigoo.php”, now the error will be inserted into “zigoo.php” page.
  3. Since the data i provided in the db username and password inputs are reflected in the “.php” page, i will inject a PHP code inside the username & password fields.

Then the expert added php code “<?phpinfo();?>” in the username & password field,  and renamed the admin panel to be “zigoo.php” and add bogus ip in the “Database Server Host” field as below:

Magento flaw 3

“And Pingo! RCE triggered and the php code “<?phpinfo();?>” worked like a charm!”

 

Magento flaw 4

 

How to mitigate the vulnerability?

To fix this flaw users need to remove the installation files/directory or at least rename it.

If you are interested about the vulnerability timeline give a look to the post published by Ebrahim Hegazy.

Pierluigi Paganini

(Security Affairs –  Magento, RCE vulnerability)