Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Amasty Product Feed - Local file disclosure

Amasty Product Feed - Local file disclosure

  • Affects: Amasty (Product-) Feed (Magento 1)
  • Date: 2016-07-20 (updated: 2016-07-26)
  • Author: Jeroen Boersma

Affected versions:

  • 2.4.1+
  • 3.2.3+
  • <3.3.4

Explanation

It is possible by changing parameters in the url to access protected and private files on the filesystem. This way you can download Magento's secrets like app/etc/local.xml or system files like /etc/passwd if your host isn't secure enough.

Every current Amasty feed module is vulnerable. Contact Amasty today to receive the latest patched version.

The actual hack isn't disclosed because we are aware that not everyone will patch today. It could be disclosed in the near future after people had time to patch their shops.

Test your Magento shop

After some communication with Magento, it wouldn't be nice to disclose the actual hack. That could do more harm than good.

So, I've contacted Magereport, it is added on Magereport.com as a extra check. You can test over there if your shop is vulnerable and/or the module is patched already.

You can also check your site on https://amastycheck.srcoder.nl/

Amasty update

Received a patched version from Amasty on 2016-07-25. If you are using this module contact Amasty support to receive the latest patched version for the module. Version 3.3.4 is released on 2016-07-24 from their website. Magento connect isn't updated yet.

On 2016-07-26 they informed me that they activily contacting their customers they should update to the latest version. E-mail is added below.

Timeline

  • Worked out vulnerability (2016-07-20)
  • Informed Amasty (2016-07-20 by e-mail)
  • Informed Magento (2016-07-20 by e-mail)
  • First reply from Amasty that they will investigate (2016-07-21 by e-mail)
  • Asked for an update on this (2016-07-22 by e-mail)
  • Received latest patched version from Amasty (2016-07-22 by e-mail)
  • Reviewed latest version which is patched correctly (2016-07-25)
  • Build testscript to do remote tests for vulnerability (2016-07-25)
  • Contacted Magereport.com (2016-07-25 by e-mail)
  • Magento replied with their concerns (2016-07-25 by e-mail)
  • Magento contacted Amasty (2016-07-25)
  • Module blocked on Magento connect (2016-07-25)
  • Working with Magereport to create a valid test (2016-07-26)
  • Amasty responded how they act (2016-07-26)
  • Amasty e-mail added (2016-07-26)
  • Added test (2016-07-26)
  • Added the word Product to be more clear (2016-07-27)
  • Magereport active (2016-07-27)
  • Removed reference to own check (2016-07-27)

References:

Hello,

We’ve detected vulnerability, which allowed an unauthorized access to Magento files in your current Product Feed version. The problem is successfully fixed in the latest version 3.3.4, which is available in your customer account. We are deeply sorry for this issue. Updating to the latest version is highly recommended for your data security.

If your support period is over, please submit a request to our support team and you'll get the package for free.

We’ll continue working on our extensions’ improvement to provide you with the safest and the most effective solutions. Thank you for your understanding!

@oblomovx

This comment has been minimized.

Copy link

commented Jul 28, 2016

Is this specific for the product feed plugin or could the same vulnerability occur in other Amasty plugins?

@adarshkhatri

This comment has been minimized.

Copy link

commented Oct 21, 2016

Magereport never shown me this vulnerability. You might want to contact magereport again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.