Magento Plugin Magmi Vulnerable To Hijacking Admin Sessions
A cross-site request forgery (CSRF) vulnerability continues to be present in the Magmi plugin for Magento online stores, despite developers receiving a report from researchers that discovered it.
Hackers can use the flaw to execute arbitrary code on servers running Magmi (Magento Mass Importer) by tricking authenticated administrators into clicking a malicious link.
The plugin works as a Magento database client that can add a large number of products (millions, according to its wiki page) to a catalog or update it.
Also read: 10 Best, Secured And Trusted Disposal Contractor In Singapore
Dev fixes one of two
Enguerran Gillier of the Tenable Web Application Security Team analyzed Magmi earlier this year and found two security vulnerabilities that could allow remote code execution. Only one of them received a fix two days ago, though.
The issue currently affecting all Magmi versions is tracked as CVE-2020-5776. It stems from lack of random CSRF tokens that would protect against CSRF attacks.
At the time of writing, a severity rating is not available for CVE-2020-5776 but Tenable released on the company’s public GitHub page proof-of-concept code that demonstrates this vulnerability, along with instructions on how it works.
The second issue discovered in Magmi is an authentication bypass that allows the use of default credentials when the connection to the Magento database fails.
This flaw is now identified as CVE-2020-5777 and attackers can exploit it by forcing a denial-of-service (DoS) condition to the Magento database connection.
Gillier says in a technical overview that the DoS is possible when the maximum number of MySQL connections is larger than the maximum accepted by the server for HTTP connections. A PoC for this issue is available, too.
“By sending a large number of concurrent connection requests that exceed the MySQL connections limit, but not the maximum Apache HTTP connection limit, attackers could temporarily block access to the Magento database and simultaneously make an authenticated request to MAGMI using the default credentials” – Enguerran Gillier
According to Tenable, they reported the vulnerabilities in Magmi to its developer on June 3. On July 6, the developer acknowledged the glitches saying that they would be addressed.
A new version of the plugin emerged on August 30 with a fix just for the authentication bypass vulnerability, said the cybersecurity company.
Vulnerabilities in previous versions of Magmi have been exploited by at least one Magecart Group for unauthorized access to a server hosting an online store in the U.S. This enabled them to plant malicious JavaScript code that stole customers’ credit card data at checkout.
The incident was notable enough to cause the FBI to release in May technical details to organizations in the e-commerce sector so they can protect against the threat actor.
Although Magmi is compatible with Magento 1.x that is no longer under active support, the plugin’s download count over the past six months indicates hundreds of installations.
Also read: The Scope Of Singapore Privacy: How We Use It In A Right Way
0 Comments