This year there has been two incidents of Local File Inclusion (also known as LFI) vulnerability for the Magento Magmi plugin. The first vulnerability was published on exploit-db.com by SECUPENT. It was a vulnerability in web/ajax_pluginconfig.php. Last October, security vendor Trustwave also published about a zero-day vulnerability.It was previously discovered that the Magmi version 0.7.21 at SourceForge includes a file called download_file.php that makes Magento installations vulnerable to LFI. Magmi is an open-source tool designed for importing content to Magento. Successful vulnerability exploitation could result to compromised database and credentials.
Whether you’re vulnerable or not, hackers will always boldly attempt to try and attack your system. Last June, Pandora ThreatScout was able to detect suspicious HTTP requests that attempted to exploit the vulnerability. This is a sample of the directory traversal attack that attempts to get the proc/self/environ file.
An attempt to download the proc/self/environ is a phase of the LFI in which it attempt to obtain root level access by using the last PID used. The attacker could then remotely download files.
This HTTP request is similar with the one published by SUCUPENT but instead it is trying to access /etc/passwd.
The etc/passwd file tracks every registered user that has access to the system. Clearly it is also an attempt to gain leverage.
Last November, Pandora’s ThreatScout detected another LFI vulnerability exploit which is the same as the one discovered by Trustwave.
GET /…sanitized…/magmi-importer/web/download_file.php?file=../../app/etc/local.xml HTTP/1.1
In this HTTP request, it is trying to download the local.xml file. This file is used to store database credentials and encryption key of Magento.
From what we have observed, both attacks that SUCUPENT and Trustwave discovered, use directory traversal attack in an attempt to gain leverage to the Magento database.
If you got your Magento Magmi plugin over at SourceForge for the past few months it is highly suggested to update it to the latest version. The Magmi version at SourceForge has already been updated as of November 6 to version 0.7.22.
To defend your websites from this kind of attack and prevent further data exposure, regular updates of your system is needed. Moreover, to keep it always protected even from future attacks and new vulnerabilities, WebRanger provides effective proactive and effective web application security that keeps your websites protected 24/7.
Signup now to get your website secured! Sign up now!