Amasty Product Feed - Local file disclosure

Amasty Product Feed - Local File disclosure.md

Amasty Product Feed - Local file disclosure

• Affects: Amasty (Product-) Feed (Magento 1)
• Date: 2016-07-20 (updated: 2016-07-26)
• Author: Jeroen Boersma

Affected versions:

• 2.4.1+
• 3.2.3+
• <3.3.4

Explanation

It is possible by changing parameters in the url to access protected and private files on the filesystem. This way you can download Magento's secrets like app/etc/local.xml or system files like /etc/passwd if your host isn't secure enough.

Every current Amasty feed module is vulnerable. Contact Amasty today to receive the latest patched version.

The actual hack isn't disclosed because we are aware that not everyone will patch today. It could be disclosed in the near future after people had time to patch their shops.

Test your Magento shop

After some communication with Magento, it wouldn't be nice to disclose the actual hack. That could do more harm than good.

So, I've contacted Magereport, it is added on Magereport.com as a extra check. You can test over there if your shop is vulnerable and/or the module is patched already.

You can also check your site on https://amastycheck.srcoder.nl/

Amasty update

Received a patched version from Amasty on 2016-07-25. If you are using this module contact Amasty support to receive the latest patched version for the module. Version 3.3.4 is released on 2016-07-24 from their website. Magento connect isn't updated yet.

On 2016-07-26 they informed me that they activily contacting their customers they should update to the latest version. E-mail is added below.

Timeline

• Worked out vulnerability (2016-07-20)
• Informed Amasty (2016-07-20 by e-mail)
• Informed Magento (2016-07-20 by e-mail)
• First reply from Amasty that they will investigate (2016-07-21 by e-mail)
• Asked for an update on this (2016-07-22 by e-mail)
• Received latest patched version from Amasty (2016-07-22 by e-mail)
• Reviewed latest version which is patched correctly (2016-07-25)
• Build testscript to do remote tests for vulnerability (2016-07-25)
• Contacted Magereport.com (2016-07-25 by e-mail)
• Magento replied with their concerns (2016-07-25 by e-mail)
• Magento contacted Amasty (2016-07-25)
• Module blocked on Magento connect (2016-07-25)
• Working with Magereport to create a valid test (2016-07-26)
• Amasty responded how they act (2016-07-26)
• Amasty e-mail added (2016-07-26)
• Added test (2016-07-26)
• Added the word Product to be more clear (2016-07-27)
• Magereport active (2016-07-27)
• Removed reference to own check (2016-07-27)

References:

• Amasty Product feed on Magento Connect
• Amasty Product feed on Amasty
• Magereport (check your site today if it is vulnerable)
• Other check (check your site today if it is vulnerable)

Amasty Product Feed - Subject Important! The Product Feed module for Magento requires an urgent update. - 2016-07-26.md

Hello,

We’ve detected vulnerability, which allowed an unauthorized access to Magento files in your current Product Feed version. The problem is successfully fixed in the latest version 3.3.4, which is available in your customer account. We are deeply sorry for this issue. Updating to the latest version is highly recommended for your data security.

If your support period is over, please submit a request to our support team and you'll get the package for free.

We’ll continue working on our extensions’ improvement to provide you with the safest and the most effective solutions. Thank you for your understanding!

Is this specific for the product feed plugin or could the same vulnerability occur in other Amasty plugins?

Magereport never shown me this vulnerability. You might want to contact magereport again.