Threat Research

Magento Commerce Widget Form (Core) XSS Vulnerability

By Zhouyuan Yang | January 07, 2019

Threat Analysis Report from FortiGuard Labs

 

While e-commerce gives us a more convenient life, it is currently facing a growing number of threats all across the internet. According to the Alexa top 1M e-commerce platforms for 2018, the e-commerce platform Magento Commerce currently enjoys more than a 14% market share, making it the second largest e-commerce platform in the world. Magento’s customers include some highly recognizable companies, including HP, Coca-Cola, and Canon.

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in Magento. This XSS vulnerability is caused by Magento failing to sanitize user-supplied data before inserting it into a dynamically generated widget form. While this XSS vulnerability only exists on the Magento Administrator’s page, it could allow a remote attacker to execute arbitrary code on a victim’s browser and then gain control of Magento high-privilege accounts to access sensitive data or take control of the vulnerable web sites.

This XSS vulnerability affects Magento Commerce 2.1 prior to 2.1.16, Magento Commerce 2.2 prior to 2.2.7.

Analysis

When editing a Magento site page, there are two modes: WYSIWYG Mode and HTML Mode. In the WYSIWYG Mode, one of the buttons is called “Insert Widget…”(see Figure 1). Figure 2 shows that we can directly call the Insert Widget function’s form by accessing the link http://IP/magento/index.php/admin/admin/widget/index/

Figure 1. The Insert Widget function in WYSIWYG Mode
Figure 2. Directly accessing the Insert Widget function form

The form in Figure 2 is generated by a php function in Widget.php, which is located at /vendor/magento/module-widget/Block/Adminhtml/Widget.php (GitHub link). It processes the user-supplied URL, filters the value of the parameter “widget_target_id”, and inserts it into a script tag, as shown in Figure 3. For example, when we access the link http://IP/magento/index.php/admin/admin/widget/index/widget_target_id/yzy9952, the value of widget_target_id will be inserted into the script tag, as shown in Figure 4.

Figure 3. Widget.php generating the form script tag
Figure 4. The form script tag generated by Widget.php

This function only sanitizes the user-supplied data by closing it with a symbol, such as “"”, “}” and “;”. However, this process can be easily bypassed by adding another set of symbols to close the current function, such as ")});”, and commenting out all the following codes by adding a HTML comment tag “<!--”. This can be seen in the following example http://IP/magento/index.php/admin/admin/widget/index/widget_target_id/yzy9952")});test<!--

Figure 5. Bypassing the filter

At this point, an attacker could insert arbitrary code into this web page. As we can see, at the beginning of this script tag it is calling a function named “require”, but the require function doesn’t exist. However, we can create the “require” function, add our codes into it, and then execute it. For example, by accessing the following PoC, the code we provide will be executed: http://IP/magento/index.php/admin/admin/widget/index/widget_target_id/yzy9952")});function%20require(){alert(document.domain)}<!--.

Figure 6. PoC

 

Solution

All users of vulnerable versions of Magento Commerce are encouraged to upgrade to the latest Magento version or apply the latest patches immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with following signature:

Adobe.Magento.Widget.XSS

 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.