Tenable published a research advisory for two vulnerabilities impacting the Magento Mass Import (MAGMI) plugin. The flaws were discovered by Enguerran Gillier of the Tenable Web Application Security Team.
MAGMI is a Magento database client written in PHP, which allows to perform raw bulk operations on the models of an online store.
In May, the FBI publicly issued a flash alert to warn of attacks in the wild exploiting a cross-site scripting vulnerability in MAGMI Magento plugin, tracked as CVE-2017-7391, to target vulnerable Magento sites.
Tenable researchers investigated the issues and discovered that the developers of the plugin have yet to address a cross-site request forgery (CSRF) vulnerability present in the Magmi plugin. The developers only addressed one of the vulnerabilities recently.
An attacker can exploit the vulnerability to execute arbitrary code on servers running a website using the Magmi Magento plugin, he could trigger the flaw by tricking authenticated administrators into clicking a malicious link.
“CVE-2020-5776 is a cross-site request forgery (CSRF) vulnerability in MAGMI for Magento. This flaw exists because the GET and POST endpoints for MAGMI don’t implement CSRF protection, such as random CSRF tokens. An attacker could exploit this vulnerability to perform a CSRF attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI.” reads the advisory published by Tenable. “The attacker could hijack the administrator’s sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.”
Tenable released a proof-of-concept code for the vulnerability on its official GitHub repository.
The Magmi Magento plugin is also affected by an authentication bypass that could be exploited by attackers to use default credentials when the connection to the Magento database fails.
This second flaw, tracked as CVE-2020-5777, can be exploited by forcing a denial-of-service (DoS) condition to the Magento database connection.
“CVE-2020-5777 is an authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below due to the presence of a fallback mechanism using default credentials.” continues the advisory. “MAGMI uses HTTP Basic authentication and checks the username and password against the Magento database’s admin_user table. If the connection to the Magento database fails, MAGMI will accept default credentials, which are magmi:magmi. As a consequence, an attacker could force the database connection to fail due to a database denial of service (DB- DoS) attack, then authenticate to MAGMI using the default credentials.”
Experts were able to trigger a DoS condition when the maximum number of MySQL connections was larger than the maximum number of concurrent HTTP connections accepted by the server.
“By sending a large number of concurrent connection requests that exceed the MySQL connections limit, but not the maximum Apache HTTP connection limit, attackers could temporarily block access to the Magento database and simultaneously make an authenticated request to MAGMI using the default credentials” – Enguerran Gillier
Experts released a PoC exploit code for this vulnerability, too.
Tenable reported the flaws to the Magmi development team on June 3, they acknowledged the issues on July 6 and released a new version of the plugin on August 30. Unfortunately, the new release only addressed the authentication bypass flaw.
(SecurityAffairs – hacking, Magento plugin)