Sansec is warning of a crucial security flaw in Magento’s REST API that might permit unauthenticated attackers to add arbitrary executables and obtain code execution and account takeover.
The vulnerability has been codenamed PolyShell by Sansec owing to the truth that the assault hinges on disguising malicious code as a picture. There isn’t any proof that the shortcoming has been exploited within the wild. The unrestricted file add flaw impacts all Magento Open Supply and Adobe Commerce variations as much as 2.4.9-alpha2.
The Dutch security agency mentioned the issue stems from the truth that Magento’s REST API accepts file uploads as a part of the customized choices for the cart merchandise.
“When a product choice has sort ‘file,’ Magento processes an embedded file_info object containing base64-encoded file knowledge, a MIME sort, and a filename,” it mentioned. “The file is written to pub/media/custom_options/quote/ on the server.”
Relying on the net server configuration, the flaw can allow distant code execution by way of PHP add or account takeover by way of saved XSS.
Sansec additionally famous that Adobe mounted the difficulty within the 2.4.9 pre-release department as a part of APSB25-94, however leaves present manufacturing variations with out an remoted patch.
“Whereas Adobe gives a pattern internet server configuration that may largely restrict the fallout, nearly all of shops use a customized configuration from their internet hosting supplier,” it added.
To mitigate any potential threat, e-commerce storefronts are suggested to carry out the next steps –
- Limit entry to the add listing (“pub/media/custom_options/”).
- Confirm that nginx or Apache guidelines stop entry to the listing.
- Scan the shops for internet shells, backdoors, and different malware.
“Blocking entry doesn’t block uploads, so folks will nonetheless be capable of add malicious code in case you aren’t utilizing a specialised WAF [Web Application Firewall],” Sansec mentioned.
