Exploitalert - Database of Exploits

Magento E-Commerce Platform XSS in SWF

CVE	Category	Price	Severity
CVE-2016-4322	CWE-79	$500	Medium

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2015-12-07

CPE
cpe:cpe:/a:magento:e-commerce_platform

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	Low	A	There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.

https://cxsecurity.com/ascii/WLB-2015120055

Magento E-Commerce Platform XSS in SWFOn April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program. eBay responded to inform us that the vulnerabilities had already been reported. However, since more than 6 months have passed and no fix is yet available, This advisory is intended to inform Magento administrators of the vulnerability so that action can be taken to mitigate the flaw. The Vulnerability Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). The vulnerability was identified within the following files via the Appcheck Flash Static Analysis Module: http://[magento_url]/skin/adminhtml/default/default/media/editor.swf http://[magento_url]/skin/adminhtml/default/default/media/uploader.swf http://[magento_url]/skin/adminhtml/default/default/media/uploaderSingle.swf Typically reflected XSS vulnerabilities allow malicious JavaScript code to be injected into the page via a specially crafted link or form post. Upon execution, the injected JavaScript is able to take control of the users session and extract sensitive data or perform actions on behalf of the user or administrator. Successful exploitation of the flaw could allow a malicious attacker to gain control of a users session with the application or full control of the application if the targeted user has administrative privileges. Technical Details The AppCheck Static analysis module identified the following vulnerable flash code within each affected file: function dispatchInit(param1:Event=null) : void { if(ExternalInterface.available == false){ return; } if(bridgeName == null){ bridgeName = baseObject.root.loaderInfo.parameters["bridgeName"]; if(bridgeName == null){ bridgeName = "flash"; } } _registerComplete = ExternalInterface.call("FABridge__bridgeInitialized",[bridgeName]); dispatchEvent(new Event(FABridge.INITIALIZED)); } In the code above the FlashVar parameter bridgeName is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads). Proof of Concept Example As proof of concept the following URL will inject the JavaScript code alert(1) to illustrate the flaw: http://[magento_url]/skin/adminhtml/default/default/media/editor.swf?bridgeName=1\%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}// Mitigation The vulnerability was confirmed in the latest release (magento-1.9.0.1.tar.gz) downloaded from: http://www.magentocommerce.com/. Until a proper fix is released, it is recommended that access to these flash files be restricted.

Impressum