Magento storage xss detailed analysis
Affected Versions: Magento CE <1.9.2.3 and Magento EE <1.14.2.3
0x00 Magento Introduction
Magento is a professional open-source e-commerce system. The legendary world's No. 1 e-commerce system. Magento is designed flexibly and has a modular architecture and rich functions. It is easy to seamlessly integrate with third-party application systems. It is oriented to enterprise-level applications and can handle various needs, as well as build an e-commerce website with multiple purposes and applicability. Including shopping, shipping, product reviews, etc. taking full advantage of the open-source features, this product provides code library development and very standard, making it easy to seamlessly integrate with third-party application systems. A new professional open-source e-commerce platform developed using php and using the Zend Framwork framework. The design is flexible and has a modular architecture system and rich functions. It is easy to seamlessly integrate with third-party application systems. The design is quite comprehensive. The modular architecture makes the application combination quite flexible and has rich functions. In order to open up profit channels, Magento also has a paid enterprise version, and actively seeks cooperation and third-party integration tools, such as e-payment platforms.
0x02 description
In January 20, 2016, Magento could not launch a SUPEE-7405 patch to fix a high-risk storage-type xss vulnerability. An attacker only needs to register an account, modify his email address as the attack code, and use the account to submit an order. When the Administrator checks the order in the background, the malicious script code will be executed.
0x03 verification test
Step 1: first register an account, then modify the mailbox settings, and find that JavaScript email verification is available. The packet capture and package modification tool successfully modifies the email address to our malicious code.
Step 2: browse products and submit orders
Step 3: The Administrator browses the background to view order details and set the vulnerability.
0x04 code analysis
Malicious Data Execution Process:
1 2 3 4 5 D: \ WWW \ magento \ app \ code \ core \ Mage \ Customer \ controllers \ AccountController. php ----> public function editPostAction () D: \ WWW \ magento \ app \ code \ core \ Mage \ Eav \ Model \ Form. php -----> public function validateData (array $ data) D: \ WWW \ magento \ lib \ Zend \ Validate \ EmailAddress. php
From the code, we can see that there is no obvious xss Defense Code "> <script> alert (1) </script>". You can check the code and enter the database.
When the Administrator accesses the background order details:
The mailbox data is directly retrieved from the order database and is not filtered to form a storage xss vulnerability.
0x05 repair suggestions
Upgrade Magento CE 1.9.2.3 and Magento EE 1.14.2.3 to the latest version.