The popular hacker Ebrahim Hegazy (Aka Zigoo) has discovered a Remote Code Execution Vulnerability that affects the widely adopted application Magento.
The experts was analyzing the Magento website whe he discovered the sub-domain http://lavender.dev.magento.com/ supposedly used as a development server. He decided to analyze it and discovered the Magento installation folder http://lavender.dev.magento.com/GitHub/setup/
Then the hackers tried to install the applications from the folder:
He noticed that the installation wizard allows users to name the admin login page without restriction, for example, it is possible to name it “admin” or “cpanel”.
Ebrahim used the URL http://lavender.dev.magento.com/GitHub/setup/#/add-database to configure a database for the Magento but he provided bogus database credentials in order to force an error as reported in the following image:
The experts noticed that the message associated to the exception includes the credentials he has submitted.
To recap, the attack scenario to trigger the RCE is:
Then the expert added php code “<?phpinfo();?>” in the username & password field, and renamed the admin panel to be “zigoo.php” and add bogus ip in the “Database Server Host” field as below:
“And Pingo! RCE triggered and the php code “<?phpinfo();?>” worked like a charm!”
How to mitigate the vulnerability?
To fix this flaw users need to remove the installation files/directory or at least rename it.
If you are interested about the vulnerability timeline give a look to the post published by Ebrahim Hegazy.
(Security Affairs – Magento, RCE vulnerability)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.