Unauthenticated stored XSS to RCE combo attack exposed

UPDATED Security vulnerabilities in Magento, the shopping cart software powering thousands of online stores, could be abused to hijack e-commerce systems, security researchers have warned.

The problem, discovered by security researchers at RIPS Technologies, stems from a HTML sanitizer bug and a Phar Deserialization issue in all but the latest versions of the popular package.

More specifically, an unauthenticated stored cross-site scripting (XSS) flaw might be escalated to trigger remote code execution (RCE).

“This chain can be abused by an unauthenticated attacker to fully takeover certain Magento stores and to redirect payments,” RIPS Tech’s Simon Scannell warns in a technical blog post.

All Magento stores that have the built-in Authorize.Net payment module enabled are at risk.

Fortunately, Adobe patched the problem last week, allowing RIPS Tech to go public about its findings.

Authorize.Net, a Visa-developed technology, isn’t responsible for any of the vulnerabilities, which stem from Magento’s implementation.

The security weakness means an unauthenticated attacker can inject a stored XSS payload into the administrator backend of a Magento store.

This JavaScript payload will run the next time an authorized user at a targeted organization logs into an admin dashboard, hijacking an administrative session in the process.

The second stage of the attack then comes into play. An authenticated RCE vulnerability might be exploited, resulting in a full takeover of the store by the attacker.

This opens to door to all manner of mischief including, but not limited to, credit card information being stolen from the customers of a now-compromised store, or the redirection of payments to a bank account controlled by criminals.

Web application security testing firm RIPS Tech concludes: “We rate the severity of the exploit chain as high, as an attacker can exploit it without any prior knowledge or access to a Magento store and no social engineering is required.”

Working out if a target store uses the Authorize.Net module is easy and could be automated, opening up the possibility of mass exploitation of vulnerable Magento-based stores.

Fortunately patches from Adobe-owned Magento are already available.

Patches were released last week in version 2.3.2, 2.2.9, and 2.1.18 of Magento, as previously reported. The release addressed a bumper total of 130 vulnerabilities, including 14 RCE bugs.

Scannell said scoping the impact of the Magento vulnerability he discovered was difficult.

He told The Daily Swig: "It is difficult to tell how many stores are affected right now. However, Magento stores can be difficult to update and no stand alone patch is available as far as I personally know. I personally think exploitation by a sophisticated group is possible."

A senior Magento developer readily conceded the danger that the flaw poses to unpatched stores.

Sergii Shymko, a Magento architect and Magento 2 co-founder, offered his assessment on Twitter.

“An attacker can place a malicious @AuthorizeNet order, wait for cancelation, hijack admin session, and induce remote code execution by deserializing malicious phar:// via WYSIWYG controller,” he wrote.

The Daily Swig has contacted Adobe for comment and will update this story as and when more information comes to hand.

This story has been updated to add comment on its impact from Simon Scannell, the researcher who discovered the vulnerability.