Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32634
HistoryOct 26, 2015 - 12:00 a.m.

[KIS-2015-04] Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

2015-10-2600:00:00
vulners.com
39

Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

[-] Software Link:

http://magento.com/

[-] Affected Versions:

Version 1.9.2 and prior versions.

[-] Vulnerability Description:

The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,
which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:

  1. public function create($type, $set, $sku, $productData, $store = null)
  2. {
  3.    if &#40;!$type || !$set || !$sku&#41; {
    
  4.        $this-&gt;_fault&#40;&#39;data_invalid&#39;&#41;;
    
  5.    }
    
  6.    $this-&gt;_checkProductTypeExists&#40;$type&#41;;
    
  7.    $this-&gt;_checkProductAttributeSet&#40;$set&#41;;
    
  8.    /** @var $product Mage_Catalog_Model_Product */
    
  9.    $product = Mage::getModel&#40;&#39;catalog/product&#39;&#41;;
    
  10.    $product-&gt;setStoreId&#40;$this-&gt;_getStoreId&#40;$store&#41;&#41;
    
  11.        -&gt;setAttributeSetId&#40;$set&#41;
    
  12.        -&gt;setTypeId&#40;$type&#41;
    
  13.        -&gt;setSku&#40;$sku&#41;;
    
  14.    if &#40;!property_exists&#40;$productData, &#39;stock_data&#39;&#41;&#41; {
    
  15.        //Set default stock_data if not exist in product data
    
  16.        $_stockData = array&#40;&#39;use_config_manage_stock&#39; =&gt; 0&#41;;
    
  17.        $product-&gt;setStockData&#40;$_stockData&#41;;
    
  18.    }
    

User input passed through the "productData" SOAP parameter is not properly validated before being
used in a call to the "property_exists()" function at line 125. This can be exploited by attackers
with valid API credentials to include and execute arbitrary PHP code (both from local or remote
resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation
of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.

[-] Solution:

Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.

[-] Disclosure Timeline:

[27/02/2015] - Vendor notified
[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release
[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability
[13/08/2015] - CVE number requested
[17/08/2015] - CVE number assigned
[11/09/2015] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-6497 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-04

[-] Other References:

http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html