egix@karmainsecurity ~ $

Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

• Software Link:

http://magento.com

• Affected Versions:

Version 1.9.2 and prior versions.

• Vulnerability Description:

The vulnerability is caused by the “catalogProductCreate” SOAP API implementation, which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:

109public function create($type, $set, $sku, $productData, $store = null)
110{
111    if (!$type || !$set || !$sku) {
112        $this->_fault('data_invalid');
113    }
114 
115    $this->_checkProductTypeExists($type);
116    $this->_checkProductAttributeSet($set);
117 
118    /** @var $product Mage_Catalog_Model_Product */
119    $product = Mage::getModel('catalog/product');
120    $product->setStoreId($this->_getStoreId($store))
121        ->setAttributeSetId($set)
122        ->setTypeId($type)
123        ->setSku($sku);
124 
125    if (!property_exists($productData, 'stock_data')) {
126        //Set default stock_data if not exist in product data
127        $_stockData = array('use_config_manage_stock' => 0);
128        $product->setStockData($_stockData);
129    }

User input passed through the “productData” SOAP parameter is not properly validated before being used in a call to the property_exists() PHP function at line 125. This can be exploited by attackers with valid API credentials to include and execute arbitrary PHP code (both from local or remote resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.

• Solution:

Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.

• Disclosure Timeline:

[27/02/2015] – Vendor notified

[25/06/2015] – Vendor acknowledgement stating the issue will be fixed in the next release

[04/08/2015] – Version 1.9.2.1 released along with the patch for this vulnerability

[13/08/2015] – CVE number requested

[17/08/2015] – CVE number assigned

[11/09/2015] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-6497 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.