First off, I know Magento 1.3 isn’t the most recent version, by a long shot, but a partner of ours reported an issue, and we noticed we still had several dozen shops running in 1.3, and as such decided to patch this issue and report it to the community at large.
By exploiting this issue it’s possible to download all of a customer’s name and address information stored within the webshops database for all known customers. There is no authentication required, and in fact, one does’t even need to have an existing account with the webshop to exploit this bug.
Reproducing the issue
The steps one needs to take to reproduce this issue are quite simple. The issue lies within the JSON module of the Onestep checkout system used in these Magento versions. The JSON call handler contains insufficient checks and permits any request for information, as long as the visitor has products in their shopping cart. As such, a visitor can forge the JSON request and use it to get the contact information for all the customers that have previously shopped via the webshop.
The URL for this JSON request is available in Magento 1.3 shops under /checkout/onepage/getAddress/address/id. Normally the id part is replaced by the user’s own user-id. The response to this is used to fill in or validate the forms during the checkout process. To test this, we set up an example shop on www.magento13.nl with an example product and an example user. We can exploit the data in the following way:
* Add an item to the shoppingcart
* Proceed to checkout
* Make a JSON call to get the contact information for customer id 1
After doing this, you should receive a file for download, which contains all the information in an easily readable JSON format. This file contains all the private user information.
More information, along with a patch to fix this issue, can be found on our blog at http://www.byte.nl/blog/2012/05/31/security-issue-in-magento-1-3-and-older-and-magento-enterprise-1-6-and-older/
We advise anyone that is still using the 1.3 branch to patch this bug immediately. Of course it is usually better to upgrade to the latest version of Magento, but for many shops it is not possible or wanted to update, and they’re stuck using 1.3