lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55F2B69E.3030308@karmainsecurity.com>
Date: Fri, 11 Sep 2015 13:10:22 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [KIS-2015-04] Magento <= 1.9.2 (catalogProductCreate)
 Autoloaded File Inclusion Vulnerability

-------------------------------------------------------------------------------
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
-------------------------------------------------------------------------------


[-] Software Link:

http://magento.com/


[-] Affected Versions:

Version 1.9.2 and prior versions.


[-] Vulnerability Description:

The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,
which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:

109.	public function create($type, $set, $sku, $productData, $store = null)
110.	{
111.	    if (!$type || !$set || !$sku) {
112.	        $this->_fault('data_invalid');
113.	    }
114.	
115.	    $this->_checkProductTypeExists($type);
116.	    $this->_checkProductAttributeSet($set);
117.	
118.	    /** @var $product Mage_Catalog_Model_Product */
119.	    $product = Mage::getModel('catalog/product');
120.	    $product->setStoreId($this->_getStoreId($store))
121.	        ->setAttributeSetId($set)
122.	        ->setTypeId($type)
123.	        ->setSku($sku);
124.	
125.	    if (!property_exists($productData, 'stock_data')) {
126.	        //Set default stock_data if not exist in product data
127.	        $_stockData = array('use_config_manage_stock' => 0);
128.	        $product->setStockData($_stockData);
129.	    }

User input passed through the "productData" SOAP parameter is not properly validated before being
used in a call to the "property_exists()" function at line 125. This can be exploited by attackers
with valid API credentials to include and execute arbitrary PHP code (both from local or remote
resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation
of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.


[-] Solution:

Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.


[-] Disclosure Timeline:

[27/02/2015] - Vendor notified
[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release
[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability
[13/08/2015] - CVE number requested
[17/08/2015] - CVE number assigned
[11/09/2015] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-6497 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-04


[-] Other References:

http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ