Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save JeroenBoersma/87b7c996f66b96b2a24d8977b1b165ac to your computer and use it in GitHub Desktop.
Save JeroenBoersma/87b7c996f66b96b2a24d8977b1b165ac to your computer and use it in GitHub Desktop.
Amasty Product Feed - Local file disclosure

Amasty Product Feed - Local file disclosure

  • Affects: Amasty (Product-) Feed (Magento 1)
  • Date: 2016-07-20 (updated: 2016-07-26)
  • Author: Jeroen Boersma

Affected versions:

  • 2.4.1+
  • 3.2.3+
  • <3.3.4


It is possible by changing parameters in the url to access protected and private files on the filesystem. This way you can download Magento's secrets like app/etc/local.xml or system files like /etc/passwd if your host isn't secure enough.

Every current Amasty feed module is vulnerable. Contact Amasty today to receive the latest patched version.

The actual hack isn't disclosed because we are aware that not everyone will patch today. It could be disclosed in the near future after people had time to patch their shops.

Test your Magento shop

After some communication with Magento, it wouldn't be nice to disclose the actual hack. That could do more harm than good.

So, I've contacted Magereport, it is added on as a extra check. You can test over there if your shop is vulnerable and/or the module is patched already.

You can also check your site on

Amasty update

Received a patched version from Amasty on 2016-07-25. If you are using this module contact Amasty support to receive the latest patched version for the module. Version 3.3.4 is released on 2016-07-24 from their website. Magento connect isn't updated yet.

On 2016-07-26 they informed me that they activily contacting their customers they should update to the latest version. E-mail is added below.


  • Worked out vulnerability (2016-07-20)
  • Informed Amasty (2016-07-20 by e-mail)
  • Informed Magento (2016-07-20 by e-mail)
  • First reply from Amasty that they will investigate (2016-07-21 by e-mail)
  • Asked for an update on this (2016-07-22 by e-mail)
  • Received latest patched version from Amasty (2016-07-22 by e-mail)
  • Reviewed latest version which is patched correctly (2016-07-25)
  • Build testscript to do remote tests for vulnerability (2016-07-25)
  • Contacted (2016-07-25 by e-mail)
  • Magento replied with their concerns (2016-07-25 by e-mail)
  • Magento contacted Amasty (2016-07-25)
  • Module blocked on Magento connect (2016-07-25)
  • Working with Magereport to create a valid test (2016-07-26)
  • Amasty responded how they act (2016-07-26)
  • Amasty e-mail added (2016-07-26)
  • Added test (2016-07-26)
  • Added the word Product to be more clear (2016-07-27)
  • Magereport active (2016-07-27)
  • Removed reference to own check (2016-07-27)



We’ve detected vulnerability, which allowed an unauthorized access to Magento files in your current Product Feed version. The problem is successfully fixed in the latest version 3.3.4, which is available in your customer account. We are deeply sorry for this issue. Updating to the latest version is highly recommended for your data security.

If your support period is over, please submit a request to our support team and you'll get the package for free.

We’ll continue working on our extensions’ improvement to provide you with the safest and the most effective solutions. Thank you for your understanding!

Copy link

Is this specific for the product feed plugin or could the same vulnerability occur in other Amasty plugins?

Copy link

Magereport never shown me this vulnerability. You might want to contact magereport again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment