Full Disclosure mailing list archives
Re: eBay Magento <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM
From: Dawid Golunski <dawid () legalhackers com>
Date: Tue, 3 Nov 2015 15:05:13 -0200
Hi, There are some news sites that confuse this Magento/Zend Framework vulnerability with an old SOAP parser xxe vulnerability of CVE-2013-1643 in the PHP core which was fixed in PHP 5.4.13 in 2013. The incorrect news may give false sense of security to users with newer PHP versions when in fact, their Magento installation may be affected. I wanted to clarify that the Magento/Zend Framework vulnerability I reported does not depend on this old PHP core vulnerability in soap parser and that it can also be exploited on new versions of PHP. The Magento/Zend Framework stems from a separate vulnerability found in the Zend Framework which I described recently at: http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt and which was assigned the CVE-ID of CVE-2015-5161 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 What affects the XXE vulnerability in Magento/Zend Framework however is entity expansion performed by the libxml2 system library. There are several libxml2 issues that allow entity auto-expansion (more details in advisory). I have updated my advisory to stress that the vulnerability does not rely on PHP version and does not depend on the old soap parser bug in PHP core. I also updated the POC exploit code to take advantage of newer libxml2 parameter entity issues (e.g CVE-2014-0191), so that the exploit also works on newer libxml2 versions, which can help to test newer systems. More details can be found in the updated advisory under the same link: http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt The Magento/Zend Framework exploit provided was successfully tested on a new PHP version of 5.6.14, released a month ago. Regards, Dawid Golunski http://legalhackers.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: eBay Magento <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM Dawid Golunski (Nov 06)