Open Source Network Blog

Ray Bogman

Ray Bogman is a former security expert at KPN, is co-founder of Jira ICT, gives Magento and Joomla! consults and trainings. Authors profile

There appear to be several security issues in the newest Magento-versions (version 1.2). Values entered by a user in various forms are not checked thoroughly and thus causing vulnerabilities. In principle the vulnerabilities do not effect Magento directly, but they open up possibilities to attack other websites (or perhaps other parts of Magento) from within a Magento webpage.

It is for instance possible to add a piece of JavaScript to the login form of the Magento Admin Panel, which is executed after submitting the form. This JavaScript-code can be constructed in such a way that it may perform a whole attack to other sites. Such an attack is often called a Cross Site Scripting attack (or in short: XSS).

Attack from the login form

The login form asks the user for an username and a password. These values can also be filled in when loading the page by adding the variables login[username] and login[password] to the URL:

http://MAGENTO/index.php/admin/?login[username]=admin

A hacker might manipulate this URL by replacing the login[username] value with a piece of JavaScript. If some user could be tempted to click on the fabricated URL, that user might execute the JavaScript and start off an attack while the hacker is waiting safely on the side line.

Besides problems with the login form, there are also issues with the Forgotten Password form and the page of the Magento Connect Manager. The last one also gives weird results because the variable "return" (perhaps manipulated by the hacker) is stored directly in the users session. A JavaScript-attack will thus be performed with every refresh of the browser, until the browser is restarted.

Better checks are needed

The solution to these problems can be seen as generic to all PHP webapplications. The values that an user enters in a form should be filtered correctly by the responsible Magento-module (htmlspecialchars()) before being shown again in the browser. Because an username should never contain HTML-code the PHP-function strip_tags() might also be of use.

Details

These vulnerabilities were reported on february 24th 2009 by Loukas Kalenderidis, a security expert working for the Australian company Sense of Security. The errors appear to be present already in version 1.2.0.1, while also the newest Magento-version 1.2.1.1 which appeared on the same day as this post did not fix the problems.

Strangely enough the Magento Release Notes of version 1.2.1 (the beginning of february) reported that some security issues within the login form were fixed. Appearantly the issues above were not yet known at that time.

For the safety of all the actual attack-code has not been included in this article.

EDIT: This issue is fixed in Magento 1.2.1.2.