[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADSYzstua=29+Yu3XNPcPn1r0GB20QUqVmEksGPuHmdTP1yv7Q@mail.gmail.com>
Date: Tue, 3 Nov 2015 15:05:13 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] eBay Magento <= 1.9.2.1 XML eXternal Entity Injection
(XXE) on PHP FPM
Hi,
There are some news sites that confuse this Magento/Zend Framework
vulnerability with an old SOAP parser xxe vulnerability of CVE-2013-1643
in the PHP core which was fixed in PHP 5.4.13 in 2013.
The incorrect news may give false sense of security to users with
newer PHP versions when in fact, their Magento installation may be
affected.
I wanted to clarify that the Magento/Zend Framework vulnerability I reported
does not depend on this old PHP core vulnerability in soap parser and that
it can also be exploited on new versions of PHP.
The Magento/Zend Framework stems from a separate vulnerability found
in the Zend Framework which I described recently at:
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
and which was assigned the CVE-ID of CVE-2015-5161 :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
What affects the XXE vulnerability in Magento/Zend Framework however
is entity expansion performed by the libxml2 system library.
There are several libxml2 issues that allow entity auto-expansion
(more details in advisory).
I have updated my advisory to stress that the vulnerability does not rely on
PHP version and does not depend on the old soap parser bug in PHP core.
I also updated the POC exploit code to take advantage of newer libxml2 parameter
entity issues (e.g CVE-2014-0191), so that the exploit also works on
newer libxml2 versions, which can help to test newer systems.
More details can be found in the updated advisory under the same link:
http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt
The Magento/Zend Framework exploit provided was successfully tested on
a new PHP version of 5.6.14, released a month ago.
Regards,
Dawid Golunski
http://legalhackers.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists