• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory: Stored XSS in Magento

January 22, 2016Marc-Alexandre Montpas

Security Risk: Dangerous

Exploitation Level: Easy/Remote

DREAD Score: 7/10

Vulnerability: Stored XSS

Patched Version: Magento CE: 1.9,2.3, Magento EE: 1.14.2.3

FacebookTwitterSubscribe

During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed.

Vulnerability Disclosure Timeline:

  • November 10th, 2015 – Bug discovered, initial report to Magento’s security team
  • December 1st, 2015 – No response from Magento. Requested confirmation of our previous email.
  • December 1st, 2015 – Magento acknowledge receipt of the report.
  • January 7th, 2016 – Request an ETA, been 2 months since original report.
  • January 11th, 2016 – Magento answers that the patch is ready, but no ETA available.
  • January 20th, 2016 – Magento releases patch bundle SUPEE-7405, which fixes the issue
  • January 22th, 2016 – Sucuri Public Disclosure of Vulnerability.

Am I At Risk?

This vulnerability affects almost every install of Magento CE <1.9.2.3 and Magento EE <1.14.2.3. The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.

As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client informations, anything a legitimate administrator account is allowed to do.

Technical Details

The issue exists within: app/design/adminhtml/default/default/template/sales/order/view/info.phtml:

Magento-StoredXSS-1

As you can see from the above snippet, the template appends the getCustomerEmail method’s return value to the administration panel. This snippet looked similar to what we found in a bug within the WordPress Jetpack plugin a couple months ago. With that in mind, we investigated the type of validation mechanisms Magento used to check whether a given string is an email or not.

This is what we found:

Magento-StoredXSS-2

It accepts two different forms of emails:

  • Regular ones, similar to what we had found in WordPress (no double quotes, no ‘<‘ sign, etc.)
  • Quoted string format, which accepts pretty much any printable characters (except for space characters, where it only allows regular spaces to be used) as long as it’s surrounded by two double-quotes

This meant that, in theory, we could use an email like “><script>alert(1);</script>”@sucuri.net as our client account’s email, submit an order and see what happens when an administrator checks our order in the administration panel .

Magento-StoredXSS-3

We were right! We just triggered an XSS in Magento Core.

Patch As Soon As Possible

If you’re using a vulnerable version of Magento, update/patch as soon as possible! In the event where you can not, we strongly recommend leveraging our Website Firewall or equivalent technology to get it patched virtually.

FacebookTwitterSubscribe

Categories: Magento Security, Security Advisory, Vulnerability DisclosureTags: XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Magentowho

    January 25, 2016

    I tried using “>alert(1);”@sucuri.net when creating a new account to test my site and I get this message “Please enter a valid email address. For example johndoe@domain.com.”

    My site is not yet patched either, or does this only work when creating an order?

    • Jerry King IQ

      January 27, 2016

      I tried also, it showed the same error message, I believe the issue is the backend validation.

      • Scooty

        January 27, 2016

        im getting an error
        the part follow by ‘@’ sould not cointain a symbol “”
        using the mentioned example during registration
        “>alert(1);”@email.com
        i never update my site

        what am i doing wrong ? any idles ?

        • Francis

          January 28, 2016

          This is what I did to replicate.
          1. Copy paste the email script on notepad. Then delete the double quote and type it manually. Now go to register page on frontend and register with the edited email Id. Before clicking submit remove the javascript validatation for email field.
          2. You can do this just by removing the all the class names from the input tag and change the input type to text and submit.
          3 .Now go to admin panel and create an order for the created customer. Repeat step 2 before submitting order.
          4. After saving the you can see alert box on the screen.

    • Dani

      January 27, 2016

      type the quotes manually and not by copy&paste, cause the format is broken. And yes it is the backend validiation. We implemented our own security logic to filter script tags customer input data, so we hadn’t the problem like other shops. very simple 😉

    • VyasXSS

      January 27, 2016

      This ist working for me too. Can anyone post working XSS Vector?

      • Francis

        January 28, 2016

        This is what I did to replicate.
        1. Copy paste the email script on
        notepad. Then delete the double quote and type it manually. Now go to
        register page on frontend and register with the edited email Id. Before
        clicking submit remove the javascript validatation for email field.
        2. You can do this just by removing the all the class names from the input tag and change the input type to text and submit.
        3 .Now go to admin panel and create an order for the created customer. Repeat step 2 before submitting order.
        4. After saving the you can see alert box on the screen

    • Lucas

      January 27, 2016

      Try modify the “value=” in the input. I think this input have a “type=”email”” or another javacript. Change the type to “text” and try disable the javascript.

  2. Rafael Corrêa Gomes ♛

    January 25, 2016

    Very cool!

  3. Mike J

    January 26, 2016

    Magento is pretty much irresponsible when it comes to security. No matter where you report/email – support dept, security team, brand evangelist – you never get any response until you publicly disclose the bug and get immediate emails from their legal dept 😀

    • AKMI

      January 26, 2016

      You would hope that being an ecommerce platform they would understand they are a prime target and act responsibly :/

    • benmarks

      January 27, 2016

      If you ever have ANY problems communicating, please let me know at ben@magento.com

  4. Francis Kim

    January 27, 2016

    So, it was you guys! Great job finding this 🙂

  5. Ricky D

    January 27, 2016

    Please Someone Post working XSS Vector.

  6. Jason Shin

    January 28, 2016

    Nice job

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.