Magento E-commerce Persistent XSS

In a recent pentest, I identified a critical security flaw within Magento ecommerce solution. The flaw is a ‘text-book’ persistent XSS within the admin console which can be triggered by any malicious “non admin” user. This would result in the compromise of the admin section and we all know what follows from here on.

This is a classical example which shows that the admin functionality is equally important to assess against security vulnerabilities and not just the publicly available website. Just because the admin functionality is restricted to trusted users, you cannot ignore the vulnerabilities and this is even more critical when using an open source software.

We reported this issue to Magento on September 24th and the response from Magento was: “We have investigated and fixed the issue which will be available in the next weekly release and next stable (1.9.1.0 and 1.4.2.0)”. Magento didn’t bother to respond to any further emails on when this next “weekly” release will be due and no new version/patch was made available until November 8th when a “preview” version was released and the release notes actually mentions addressing this issue. More details about this issue and the actual vulnerability can be found here.

Magento’s updated version and release notes can be read here. While I understand that this release is not a stable version and upgrading to a preview release may not be the best idea and that some may debate whether this is a responsible disclosure and all that. To be honest, the vendor might have taken a better approach and actually bothered to release a security patch. If i know this issue, then its quite likely someone else knows it too and that it might have been exploited in the wild and so on …

Enough of my ranting. If you are using Magento, UPDATE NOW!!

2 Thoughts on “Magento E-commerce Persistent XSS

  1. Good job ! I know magento is a well secured application.

  2. I doubt it very much. I can bet there are a few more persistent XSS and similar issues. When it comes to security its not bad, but its not the best either.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation