Incident Response, TDR, Vulnerability Management

Zero-Day in Magento plug-in could allow attacker to steal data

Researchers at Trustwave spotted a zero-day exploit in the Magmi plug-in for the Magento e-commerce platform that can be used by an attacker to access credentials and potentially gain complete control of the a user's Magento database.

The vulnerability exists in Magmi version 0.7.21 and prior when downloaded from SourceForge however, versions downloaded from Github are not currently vulnerable.

Karl Sigler, Threat Intelligence Manager at Trustwave told in a Wednesday email correspondence that customer card data would be the most vulnerable and sought after data if this were exploited.

“In a worst case scenario, the Magento install could be set up to store the credit card information in the database long term, which would put all that data at risk if Magento was compromised,” Sigler said.

Sigler said if an administrator installs Magmi in the same directory as Magento and does not take steps to secure the Magento credentials file local.xml they will be vulnerable to exploitation. He went on to say that a single GET request would be enough to grab the credentials file.

Its unclear how many people are vulnerable to the attack. Magento has over 240,000 installs and Magmi was downloaded from SourceForge over 2,800 times in September alone, according to the blog.

“Users should follow the Magento security guide for how to protect your local.xml file. Users can also move from the Magmi version on SourceForge and use the non-vulnerable GitHub version instead,” Sigler said.

Trustwave Lead Security Researcher Assi Barak said in an Oct. 13 blog that both Magmi and Magento have been notified of the vulnerability and that Magento has issued a security notification to their partners and users that opt to receive such notifications. The e-commerce platform also informed the researchers that it has contacted the owners of 1,700 sites that it believes are vulnerable to the exploit. 

A Magento spokesperson told in a Wednesday email correspondence "We had previously communicated remediation steps to our partners and users, as well as posted an alert on our security center website. We have also requested SourceForge remove the extension from their site. We take a proactive stance on security and are vigilant about alerting our merchants and partners to any potential issues, even if they are from third-party developers."

UPDATE: The article has been modified to include comments from Magento.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.