Security issue

A while ago we discovered a security issue with a couple of modules from Commerce Extensions. Their import / export modules had a function to download the export file but this could also be used to download any other file from the server by anybody who knows the url.

We reported this issue to Commerce Extensions and helped them fix the issue.

How to find out if your at risk

The first step is to check if you have any import / export modules installed from Commerce Extensions. You can do this by checking your app/etc/modules folder for XML files starting with "CommerceExtensions_" followed by something with the word "export" in it.

Unfortunately they did not update the version numbers of the fixed modules so the next step is to check the code of this / those module(s). Go to the controllers of this module you can find them in app/code/community/CommerceExtensions/[MODULENAME] /controllers/IndexController.php. Where [MODULENAME] is the part you found in the XML filename after "CommerceExtensions_". If you see the following code here you are vulnerable:

  1. $fullPath = $path.$this->getRequest()->getParam('download_file');
  2. if ($fd = fopen ($fullPath, "r")) {

If so, please update your module to the latest version and check if it is resolved in this version.

If you need any help with analyzing or fixing this security issue, please contact us.

Update 29-03-2019

Commerce Extensions contacted us to ask if we could let the article reflect that all there modules downloaded after July 2017 are not vulnerable. We working hard together to provide you with the version numbers that are safe to use.

Update 07-05-2019

We have a list containing the version numbers of the fixed modules:

Module code Fixed version
CommerceExtensions_Advancedcustomerimportexport 0.3.0
CommerceExtensions_Categoriesimportexport 0.2.0
CommerceExtensions_Cmspagesimportexport 0.3.0
CommerceExtensions_Cmsstaticblocksimportexport 0.3.0
CommerceExtensions_Customerreviewsimportexport 0.3.0
CommerceExtensions_Orderimportexport 0.2.0
CommerceExtensions_Productrelationsimportexport 0.2.0
CommerceExtensions_Searchtermsimportexport 0.3.0
CommerceExtensions_Shoppingcartrulesimportexport 0.3.0
CommerceExtensions_Subscriberimportexport 0.3.0
CommerceExtensions_Urlrewritesimportexport 0.3.0
CommerceExtensions_Wishlistimportexport 0.3.0

This list is also added to the Magento Vulnerability Database so that you can easily scan all your Magento installations with Magerun.