what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Magento EE 1.9.1.1 Poisoning

Magento EE 1.9.1.1 Poisoning
Posted Feb 7, 2011
Authored by Jan Frisby

Magento Enterprise Edition versions 1.9.1.1 and below are vulnerable to poisoning of their page cache under some configurations due to inappropriate trust of HTTP Host header values.

tags | advisory, web
SHA-256 | 072a4238f4c72a544abc579cda6ed12b6b8491d1864bd0cbba463b2fa2d60083

Magento EE 1.9.1.1 Poisoning

Change Mirror Download
Summary:

Magento Enterprise Edition is vulnerable to poisoning of its page cache
under some configurations due to inappropriate trust of HTTP Host header
values.


Impact:

Users shopping at online stores driven by Magento EE can be redirected
to arbitrary third party sites, allowing malicious entities to entice
users to hand over their credit card information inappropriately.


Severity:

Major -- Exploit allows for content injection, and hijacking of users.
Exploits have been observed in the wild.


Fix/Workaround Status:

At this time, the vendor (Magento Inc) has only stated an intent to fix
the problem (as a "product enhancement") but has not provided any patch
despite being given considerable lead time by us and being first made
aware of the problem in 2008 (see note below for more details).

The issue can be worked around using one of several configuration-
related changes, including one which the vendor introduced in 2008.


Affected Versions:

All versions of Magento EE, up to and including 1.9.1.1 (the latest as
of this writing) when page caching is enabled. It is unclear if the
block-level caching in Magento Community/Professional Edition is
similarly impacted, however both are likely vulnerable to the
misinterpretation of data.


Details:

Magento uses a hierarchical configuration mechanism, allowing values
such as site URLs to be set at a global level and at a more specific
per-storefront level. Magento EE adds a mechanism for caching whole
pages.

With default URL values, Magento EE can be tricked into generating page
cache entries with arbitrary URL values by simply sending an artificial
HTTP Host header. Unfortunately, setting the URL value at the
*storefront* level is insufficient to prevent this behavior.

In order to prevent this issue, one of the following must be true:

The key is to have the web server send only trustworthy/cleansed values
to PHP.

The following are example approaches for Apache:

* Your web server is configured in a way that results in untrusted Host
values never being sent to PHP. An example of this would be the use of
name-based vhosts that do not point the "_default_" vhost to a Magento
instance.

* Using one or more ServerAlias masks with IP-based vhosting to
constrain the range of valid host values.

Magento level:

* Provide Base Unsecure URL and Base Secure URL values in the "Default
Config" (top-level) configuration. The precise values do not appear to
matter, just so long as some value is present.

Reproducing the problem simply requires requesting any URL with a forged
Host header at a time when the page cache is considered invalid.


Nota Bene:

The vendor's solution to the problem when confronted with it in 2008[1]
was to introduce a vaguely worded warning[2] in the admin UI when the
base URL value is not defined at the top level of the configuration
hierarchy.

Given that:

1) It is not made clear that the configuration status presents a severe
security hole.

2) A non-default base URL value in the top-level configuration level is
never actually *used* in page-cache generation. Its presence apparently
serves only to trigger use of the per-storefront configuration value.

We therefore hold that the provided warning does not suffice as a 'fix'.
The vendor has indicated that they believe otherwise both through their
actions and their communications with us.


References:

[1] http://www.magentocommerce.com/boards/viewthread/8220/

[2] The exact wording of the message is: "{{base_url}} is not
recommended to use in a production environment to declare the Base
Unsecure URL / Base Secure URL. It is highly recommended to change this
value in your Magento configuration."

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close