Experts of RIPS Technologies told that they discovered a number of vulnerabilities in the popular CMS Magento, the combination of which allowed attackers to establish control over the vulnerable site.
To attack, the criminal first had to use a stored XSS bug to inject malicious JavaScript into the backend of the vulnerable store. Then, by intercepting the session of one of the employees, the attacker was able to use these privileges to exploit the RCE vulnerability in the mechanism for deserializing the data of the Phar PHP utility. That is, completely seize control of the resource.“The attackers could redirect all payments to their bank account or steal information about the bank cards of users,” write the experts.
The only condition necessary for the success of the attack was presence in the store of the built-in payment module Authorize.Net, since the root of the problem lay in the way Magento developers realized implementation of this payment processing solution.
Read also: Godlua became the first threat in history of information security that abuses the DoH protocol
The originally mentioned problem of stored XSS was discovered in Magento version 2.2.6, in August 2018. Last November, a patch was released for it, but it soon became clear that the fix is easy to bypass and Magento 2.3.0 was still vulnerable. New patches were released as part of Magento 2.3.2, 2.2.9 and 2.1.18.
The second problem associated with Phar deserialization was discovered in January 2019 and eliminated in March in Magento 2.3.1, 2.2.8 and 2.1.17.
Worth noting that stores based on Magento are still the favorite targets of intruders who practice so-called MageCart attacks or software skimming.
For example, according to a recent report by Sanguine Security, a targeted and automated attack is currently being conducted on vulnerable stores with about 960 affected sites. Majorly victims of this attack were small shops, however, according to experts, among the victims there are several large resources.
