Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
• Software Link:
• Affected Versions:
Version 1.9.2 and prior versions.
• Vulnerability Description:
The vulnerability is caused by the “catalogProductCreate” SOAP API implementation, which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:
public function create($type, $set, $sku, $productData, $store = null) { if (!$type || !$set || !$sku) { $this->_fault('data_invalid'); } $this->_checkProductTypeExists($type); $this->_checkProductAttributeSet($set); /** @var $product Mage_Catalog_Model_Product */ $product = Mage::getModel('catalog/product'); $product->setStoreId($this->_getStoreId($store)) ->setAttributeSetId($set) ->setTypeId($type) ->setSku($sku); if (!property_exists($productData, 'stock_data')) { //Set default stock_data if not exist in product data $_stockData = array('use_config_manage_stock' => 0); $product->setStockData($_stockData); }
User input passed through the “productData” SOAP parameter is not properly validated before being used in a call to the “property_exists()” function at line 125. This can be exploited by attackers with valid API credentials to include and execute arbitrary PHP code (both from local or remote resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
• Solution:
Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.
• Disclosure Timeline:
[27/02/2015] – Vendor notified
[25/06/2015] – Vendor acknowledgement stating the issue will be fixed in the next release
[04/08/2015] – Version 1.9.2.1 released along with the patch for this vulnerability
[13/08/2015] – CVE number requested
[17/08/2015] – CVE number assigned
[11/09/2015] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-6497 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.