On April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program.  eBay responded to inform us that the vulnerabilities had already been reported.

However, since more than 6 months have passed and no fix is yet available, This advisory is intended to inform Magento administrators of the vulnerability so that action can be taken to mitigate the flaw.

The Vulnerability

Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). The vulnerability was identified within the following files via the Appcheck Flash Static Analysis Module:

http://[magento_url]/skin/adminhtml/default/default/media/editor.swf
http://[magento_url]/skin/adminhtml/default/default/media/uploader.swf
http://[magento_url]/skin/adminhtml/default/default/media/uploaderSingle.swf

Typically reflected XSS vulnerabilities allow malicious JavaScript code to be injected into the page via a specially crafted link or form post. Upon execution, the injected JavaScript is able to take control of the user’s session and extract sensitive data or perform actions on behalf of the user or administrator.

Successful exploitation of the flaw could allow a malicious attacker to gain control of a users session with the application or full control of the application if the targeted user has administrative privileges.

Technical Details

The AppCheck Static analysis module identified the following vulnerable flash code within each affected file:

function dispatchInit(param1:Event=null) : void {
    if(ExternalInterface.available == false){
        return;
    }
    if(bridgeName == null){
        bridgeName = baseObject.root.loaderInfo.parameters["bridgeName"];
        if(bridgeName == null){
            bridgeName = "flash";
        }
    }
     _registerComplete = ExternalInterface.call("FABridge__bridgeInitialized",[bridgeName]);
    dispatchEvent(new Event(FABridge.INITIALIZED));
}

In the code above the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept Example

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:

http://[magento_url]/skin/adminhtml/default/default/media/editor.swf?bridgeName=1%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

Mitigation

The vulnerability was confirmed in the latest release (magento-1.9.0.1.tar.gz) downloaded from: http://www.magentocommerce.com/. Until a proper fix is released, it is recommended that access to these flash files be restricted.