Security issues

After reading this blog post from Willem de Groot we scanned our customers code base for similar issues and found a module called Magpleasure_Common where it was possible to inject code in two different ways. This module is not a standalone module but is shipped with a number of other modules like:

  • Amasty / MagPleasure: Tierprices up to version 1.2.14
  • Amasty / MagPleasure: Blog Pro up to version 2.3.4
  • Amasty / MagPleasure: Share Me! up to version 2.1.4
  • Amasty / MagPleasure: AJAX Reviews up to version 1.3.13

I say Amasty / Magpleasure because these modules where developed by Magpleasure, but this company is now owned by Amasty and they also sell these modules under their own name.

Technical details

There are 2 points where this issue can be abused. The first one is in the adminhtml controller Magpleasure_Common_Adminhtml_Magpleasure_AjaxformController::save(). Here there is post data accepted that is being passed with a small detour to PHP’s unserialize() function.

The first code that is important for this security issue is around line 81:

  1. public function saveAction()
  2. {
  3.     $result = array();
  4.  
  5.     if ($covering = $this->getRequest()->getPost('covering')){
  6.  
  7.         $savedData = $this->_commonHelper()->getHash()->getObjectFromHash($covering);

Here the user data is collected and passed to the helper method Magpleasure_Common_Helper_Hash::getObjectFromHash(). Where we see around line 60:

  1. public function getObjectFromHash($hash)
  2. {
  3.     return new Varien_Object($this->getData($hash));
  4. }

Here the user data is passed to the method Magpleasure_Common_Helper_Hash::getData(). Where around line 31 the data is passed to PHP’s unserialize() function:

  1. $result = unserialize($data);

This means a hacker can send data to the /admin/magpleasure/ajaxform/save/ url to inject code. Note that for this to work the hacker should already have (partial) admin access.

The second place is spotted more easily in the PHP code. In the method Magpleasure_Common_Block_Widget_Dialog::_restoreForwardedData() there is the following code:

  1. $data = $this->getRequest()->getParam('forward_data');
  2. if ($data){
  3.     try {
  4.         $data = $this->_commonHelper()->getCore()->urlDecode($data);
  5.         $data = unserialize($data);

Because this block is used in different places in the frontend, hackers can inject code without having access to the backend witch makes this the more dangerous place to have this security issue.

Solution

After contacting Amasty about this security issue they released a new version of the Magpleasure_Common module with version 0.8.13 with the problems resolved. As well as a new version of all of their modules that shipped with it. So if you have installed the Magpleasure_Common module and the version found in the config.xml is below 0.8.13, please update the module(s) it came with.

Date14 december 2018 Author Martien Mortiaux
Tag