Cross-Site Request Forgery (CSRF) is a hacking technique of getting a user who is logged into an application to execute certain commands while authenticated and logged in. The Magento shopping cart (version 2.1.6 and below) has a security issue that allows that. Magento has known about this for some months but as of April 2017 still had not fixed it. Defense Code contacted the company and told them this is a red critical security problem.
Magento is an ecommerce engine for web sites. Defense Code reports that a hacker can exploit the site by using a feature that previews a video before it loads a Vimeo video. The hacker can change the POST to a GET, either in a malicious web page or HTML embedded in an email) and request a file that is an invalid image file, like a .php program. The system will respond saying the file type is invalid but will download it anyway.
When the malicious PHP file is downloaded then it can be called from the internet. So you can get a command shell and pass it arguments. Like with this php code:
<?php echo shell_exec($_GET['cmd']); ?>
It also downloads a .htaccess file which is Apache web server security. That sets the settings there to allow PHP code to run.
This exploits does not require pressing any button. By implanting HTML code in an email a Magento user gets the HTML GET or the hacker can entice the user into loading a page that does. They do not have to click on the actual video preview links or any link at all.
What is not clear is if the hacker can upload a .php file as a .jpg file in Vimeo or whether the hack points to a PHP file on a server of the hacker’s choosing.
The Comments Section Attack Vector
The paper by Defense Code raises an attack vector many of us probably have not thought of. Anyone can load this exploit by embedding html tags in the comments section of a web page, like a newspaper comments section. Some comment sections let you put simple HTML to make bold letters and colors etc. When the comments load the two files needed for the exploit download.