Magento Security – High Risk Remote Code Execution Vulnerability

Magento websites running version 2.1 and below may be open to a serious security flaw that allows for remote code execution, allowing malicious parties to potentially extract sensitive user data.

The following guide will outline what the attack is, and how you can mitigate this exploit.

How does the attack work?

When retrieving a preview image for vimeo content, the request method can be altered from POST to GET. The subsequent image retrieval will be stored to the site and not removed, even if the return validation of the image fails.
Finally, if an administrator is tricked into clicking a URL containing a cross-site request forgery attack, this may allow for the Remote Command Execution.

How to prevent it?

As this problem has not been officially patched by the Magento developers, the remote code execution must be mitigated by enforcing “Add Secret Key to URLs”.

Steps to take

  1. Log in to the backend of your Magento Website.
  2. From the left hand menu select Stores > Configuration.
  3. Select Advanced > Admin.
  4. Within the Security section scroll down to Add Secret Key to URLs and ensure that it is set to Yes.

  5. Click Save Config.

Thanks to DefenseCode for their full write up of this issue which can be found here.

Rate this post 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This entry was posted in General and tagged . Bookmark the permalink.

Leave a Reply

Please DO NOT use this form to submit support requests, all information submitted will be PUBLICLY VISIBLE.

Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.