forked from magento/devdocs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathremote-code-exploit.html
127 lines (104 loc) · 6.54 KB
/
remote-code-exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
---
---
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="{{ site.baseurl }}common/css/stylesheet.css"/>
<link rel="stylesheet" href="{{ site.baseurl }}common/css/stylesheet-fonts.css" type="text/css" charset="utf-8">
<link rel="icon" href="{{ site.baseurl }}common/css/favicon.ico" type="image/x-icon">
<link rel="shortcut icon" href="{{ site.baseurl }}common/css/favicon.ico" type="image/x-icon">
<title>Resolving a Remote Code Execution Exploit</title>
</head>
<body>
<img src="{{ site.baseurl }}common/images/m1x/m1xheader.png" width="1024" alt="header" />
<a name="top"></a>
<div id="content">
<body>
<h1>Resolving a Remote Code Execution Exploit</h1>
<div class="toc"><h4>Table of Contents</h4>
<ul><li><a href="#overview">Overview</a></li>
<li><a href="#affected">Versions Affected</a></li>
<li><a href="#patch">Getting the Patch</a></li>
<li><a href="#vulnerable">Determining Your Vulnerability to the File System Attack</a></li>
<li><a href="#resolve">Resolving the File System Vulnerability</a></li>
</ul></div>
<h2 id="overview">Overview</h2>
<p>We recently identified potential exploits that:</p>
<ul><li>Enable an attacker to execute arbitrary code on your Magento server.</li>
<li>Create files with a <tt>.csv</tt> extension, create writable directories, and change the permission of existing files to world-writable (777).
</li>
</ul>
<div class="msg-box important"><img src="{{ site.baseurl }}common/images/m1x/icon-note.png" alt="note" align="left" width="40"><span><strong>Note</strong>: The preceding exploits require the attacker to have administrative access to your Magento Admin Panel Dashboard. You can resolve these issues with the patch discussed in this article.</div>
<p>Creating files with a <tt>.csv</tt> extension can lead to executing files like <tt>php.csv</tt> (only under circumstances discussed in this article). The ability to run code with a <tt>.csv</tt> extension is dangerous itself and could be combined with other attacks; for example, targeting other software installed on the server.</p>
<p>You can resolve this issue by changing your server's configuration as discussed in <a href="#resolve">Resolving the File System Vulnerability</a>.</p>
<p>Although Magento code is protected by a hash value, the possibility of a successful exploit cannot be eliminated because of the low entropy of the hash secret value.</p>
<p>We strongly recommend you to take precautions discussed in this article <em>and</em> apply a patch for your version of Magento Enterprise Edition or Community Edition.</p>
<h2 id="affected">Versions Affected</h2>
<p><em>Magento software versions affected</em>: The issue affects all shipping versions of Magento Community Edition (CE) and Enterprise Edition (EE).</p>
<p><em>Operating system versions affected</em>:</p>
<ul><li>CentOS 5.x and 6.x</li>
<li>RedHat Enterprise Linux 5.x and 6.x</li></ul>
<h2 id="patch">Getting the Patch</h2>
<p>The following table shows the patch you should get for your version of CE or EE.</p>
<table>
<tbody>
<tr>
<th>Version</th>
<th>Patch</th>
</tr>
<tr>
<td>EE 1.13 and 1.14, CE 1.8 and 1.9</td>
<td>SUPEE-1533_EE_1.13.x_v1.patch</td>
</tr>
<tr>
<td>EE 1.12, CE 1.7</td>
<td>SUPEE-1533_EE_1.12.x_v1.patch</td>
</tr>
<tr>
<td>EE 1.11, CE 1.6</td>
<td>SUPEE-1533_EE_1.11.x_v1.patch
</td></tr>
<tr>
<td>EE 1.10.1, CE 1.5.1</td>
<td>SUPEE-1533_EE_1.10.1.x_v1.patch</td>
</tr>
<tr>
<td>EE 1.10.0.1, CE 1.5.0.1</td>
<td>SUPEE-1533_EE_1.10.0.x_v1.patch</td>
</tr>
<tr>
<td>EE 1.9</td>
<td>SUPEE-1533_EE_1.9.x_v1.patch</td></tr>
</tbody></table>
<p>To get and apply your patch, see <a href="{{ site.m1xgdeurl }}other/ht_install-patches.html" target="_blank">How to Apply and Revert Magento Patches</a>.</p>
<div class="msg-box important"><img src="{{ site.baseurl }}common/images/m1x/icon-important.png" alt="important" align="left" width="40"><span><strong>Important</strong>: After applying your patch, Magento strongly recommends you evaluate your vulnerability and configure PHP as discussed in <a href="#resolve">Resolving the Vulnerability</a>.</span></div>
<h2 id="vulnerable">Determining Your Vulnerability to the File System Attack</h2>
<p>To determine if you're vulnerable to execution of PHP code with a non-PHP extension, search your web server configuration file for the following string:</p>
<pre>AddHandler application/x-httpd-php .php</pre>
<p>The Apache configuration file is typically <tt>/etc/httpd/conf/httpd.conf</tt></p>
<p>To confirm you're vulnerable:</p>
<ol><li>Create a file named <tt>test.php.csv</tt> anywhere in your web server's doocroot with the following contents:<br>
<pre><?php
phpinfo()</pre></li>
<li>In a web browser, display that page. (For example, <tt>http://www.example.com/path/test.php.csv</tt></li>
<li>If your browser saves the file or prompts you to save the file instead of displaying it, your server is <em>not</em> vulnerable. You can ignore the rest of this article.</li>
<li>If a page similar to the following displays, your server <em>is</em> vulnerable. Continue with the next section.<br>
<img src="{{ site.baseurl }}common/images/m1x/appsec-900_confirm.png"></li></ol>
<h2 id="resolve">Resolving the File System Vulnerability</h2>
<div class="msg-box important"><img src="{{ site.baseurl }}common/images/m1x/icon-note.png" alt="note" align="left" width="40"><span><strong>Note</strong>: Magento strongly recommends you perform all tasks discussed in this section in a development or testing environment and <em>not</em> in a production environment.</div>
<p>To resolve this vulnerability, you must log in to the Magento server as a user with <tt>root</tt> privileges or as a user with permissions to change the web server configuration.</p>
<p>To resolve the vulnerability:</p>
<ol><li>Comment out the directive in <tt>httpd.conf</tt> by preceding it with a pound sign (#) as follows:<br>
<pre># AddHandler application/x-httpd-php .php</pre></li>
<li>Add a block similar to the following:<br>
<pre><FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch></pre>
Some operating systems, like Red Hat Enterprise, might require different syntax such as:
<pre><FilesMatch \.php$>
SetHandler php5-script
</FilesMatch></pre>
The regular expression in this setting matches <tt>.php</tt> only to the final extension in the file name, applying the handler only to PHP files and preventing PHP from executing.</p>
</body>
</html>