Amasty Product Feed - Local file disclosure
- Affects: Amasty (Product-) Feed (Magento 1)
- Date: 2016-07-20 (updated: 2016-07-26)
- Author: Jeroen Boersma
Affected versions:
- 2.4.1+
- 3.2.3+
- <3.3.4
Explanation
It is possible by changing parameters in the url to access protected and private files on the filesystem.
This way you can download Magento's secrets like app/etc/local.xml
or system files like /etc/passwd
if your host isn't secure enough.
Every current Amasty feed module is vulnerable. Contact Amasty today to receive the latest patched version.
The actual hack isn't disclosed because we are aware that not everyone will patch today. It could be disclosed in the near future after people had time to patch their shops.
Test your Magento shop
After some communication with Magento, it wouldn't be nice to disclose the actual hack. That could do more harm than good.
So, I've contacted Magereport, it is added on Magereport.com as a extra check. You can test over there if your shop is vulnerable and/or the module is patched already.
You can also check your site on https://amastycheck.srcoder.nl/
Amasty update
Received a patched version from Amasty on 2016-07-25. If you are using this module contact Amasty support to receive the latest patched version for the module. Version 3.3.4 is released on 2016-07-24 from their website. Magento connect isn't updated yet.
On 2016-07-26 they informed me that they activily contacting their customers they should update to the latest version. E-mail is added below.
Timeline
- Worked out vulnerability (2016-07-20)
- Informed Amasty (2016-07-20 by e-mail)
- Informed Magento (2016-07-20 by e-mail)
- First reply from Amasty that they will investigate (2016-07-21 by e-mail)
- Asked for an update on this (2016-07-22 by e-mail)
- Received latest patched version from Amasty (2016-07-22 by e-mail)
- Reviewed latest version which is patched correctly (2016-07-25)
- Build testscript to do remote tests for vulnerability (2016-07-25)
- Contacted Magereport.com (2016-07-25 by e-mail)
- Magento replied with their concerns (2016-07-25 by e-mail)
- Magento contacted Amasty (2016-07-25)
- Module blocked on Magento connect (2016-07-25)
- Working with Magereport to create a valid test (2016-07-26)
- Amasty responded how they act (2016-07-26)
- Amasty e-mail added (2016-07-26)
- Added test (2016-07-26)
- Added the word Product to be more clear (2016-07-27)
- Magereport active (2016-07-27)
- Removed reference to own check (2016-07-27)
Is this specific for the product feed plugin or could the same vulnerability occur in other Amasty plugins?