Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PHP Code Injection. Show all posts

Several Magento Sites were Targeted by a Surge of MageCart Attacks

 

A large number of online stores using the Magento 1 e-commerce system were targeted by a web skimmer, according to Sansec, an eCommerce security consultancy. 

The crawler detected roughly 374 infections in a single day, indicating an onslaught. The infection was downloaded from the domain naturalfreshmall[.]com, which is presently offline. The threat operators' purpose was to steal credit card information from consumers at the targeted online retailers.

An attacker often uses a security flaw in the Quickview plugin to insert rogue admin users into susceptible Magento stores as the initial intrusion vector. Under this scenario, however, the flaw was exploited to add a default value resulting in the database being updated with a file carrying a simple backdoor. By just surfing the Magento login page, the validation requirements for prospective consumers would be used to initiate the code execution. 

By implementing a default value to the customer_ eav_attribute table, misuse is possible. The host app is tricked into creating a malicious entity, which is then utilized to generate a basic backdoor (api 1.php). As per Sansec, the intruders installed 19 backdoors on the hacked system, which means the affected sites must remove all of them to avoid being targeted in future attacks.

Although thousands of merchants continue to use it, the Magento 1 platform has hit End-of-Life, and Adobe no longer provides security upgrades for the same. As a result, the sites are accessible to a wide range of cyberattacks, putting the clients' sensitive information at risk. These details usually include credit card numbers, mailing addresses, names, phone numbers, and email addresses, as well as anything else required to complete an online order.

All Magento administrators should make sure it is running the most current edition of the platform and upgrade if it is on an older, unsupported version.

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.