Magento eCommerce XSS Vulnerabilities

23 December 2009

OSVDB: 61526 61527 61528 61529 61530 61531 61532 61533

Description of Vulnerability:

Magento (http://www.magentocommerce.com/) is an eCommerce platform written in MySQL and PHP. Magento contains numerous serious cross site scripting (XSS) vulnerabilities.

Systems affected:

Magento community edition version 1.3.2.43 was tested and shown to be vulnerable

Mitigating factors

None of the vulnerabilities described below can be exploited by unauthenticated users. An attacker must have credentials to access the site in order to perform the proof of concept attacks detailed below.

Vulnerable fields:

The following is a list of fields and presentation screens that suffer from cross site scripting vulnerabilities:

== Product Name ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product name'

Proof of concept:

  1. Click on Catalog -> Manage Products and click the 'Add Product' button
  2. Select default settings and click the 'Continue' button
  3. Enter "<script>alert('xss');</script>" in the 'Name' field
  4. Enter arbitrary data in the other required fields and click the 'Save' button
  5. Click on Sales -> Orders then 'Create New Order'
  6. Select any customer
  7. Click 'Add Products'
  8. Select the newly created product and lick 'Add Selected Product(s) to Order'
  9. Observe the JavaScript alert

== Product SKU ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product SKU'

Proof of concept:

  1. Create a new product as above, except enter the script value for the product SKU
  2. Create a new review of the product from Catalog -> Reviews and Ratings -> Cutomer Reviews -> All Reviews and clicking the 'Add New Review' button
  3. Save the product review to view the JavaScript

== Product Description ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'product description'. Any Javascript in a product description will be rendered when a customer views the product details of that product.

== Customer Group Name ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'customer group name'

Proof of concept:

  1. Click on Customers -> Customer Groups
  2. Click the 'Add New Customer Group' button
  3. Enter "<script>alert('xss');</script>" for the 'Group Name'
  4. Click 'Save Customer Group'
  5. Click Customers -> Manage Customers
  6. Observe the JavaScript alert (twice)

== Product Category Name ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Product category name'

Proof of concept:

  1. Click on Catalog -> Manage Categories
  2. Click on 'Add Root Category'
  3. Click on the 'General Information' tab
  4. Enter "<script>alert('xss');</script>" for the 'Name'
  5. Click the 'Save Category' button
  6. Click the new category name from the left
  7. Observe the Javascript alert

== Attribute Set ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Attribute set name'

Proof of concept:

  1. Click on Catalog -> Attributes -> Manage Attribute Sets
  2. Click the 'Add New Set' button
  3. Enter "<script>alert('xss');</script>" for the 'Name'
  4. Click 'Save Attribute Set'
  5. Observe the JavaScript alert

== Sitemap Path ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Sitemap path'

Proof of concept:

  1. Click on Catalog -> Google Sitemap
  2. Click 'Add Sitemap'
  3. Enter "<script>alert('xss');</script>" for the Path
  4. Click 'Save & Generate' button
  5. Observe the Javascript alert

== Customer Tax Class, Product Tax Class, Tax Rate ID ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Customer tax class name', 'Product tax class name', or 'Tax rate id' fields

Proof of concept is only provided for Customer Tax Class (others follow same methodology):

  1. Click on Sales -> Tax -> Customer Tax Classes
  2. Click the 'Add New' button
  3. Enter "<script>alert('xss');</script>" for the Class Name
  4. Click 'Save Class'
  5. Click on Sales -> Tax -> Manage Tax Rule
  6. Observe Javascript

N.B. The Product Tax Class XSS also affects the Catalog Advanced Search page at index.php/catalogsearch/advanced/

== Poll Question ==

The Magento platform suffers from a XSS vulnerability because it does not properly sanitize the 'Poll Question' or 'Poll Answer' fields

Proof of concept:

  1. Click on CMS -> Poll Manager
  2. Click the 'Add New Poll' button
  3. Enter "<script>alert('xss');</script>" for the Poll Question
  4. Click the 'Poll Answers' tab
  5. Click the 'Add New Answer' button
  6. Enter "<script>alert('xss');</script>" for the Answer Title
  7. Click the 'Save Poll'
  8. Observe the Javascript alerts when the poll renders at index.php

== Architecture ==

Magento stores submitted values in the database without any filtration. In this model it becomes imperative that data be filtered for XSS before display. Whereas only one point of data input exists, there can be countless points of data display that expand beyond Magento core as modules are applied. The polluted data layer allows XSS to creep forward into display layers with ease unless extreme care is taken by developers.

Vendor Response

All issues described in this report will be fixed in the upcoming EE 1.7.0.0 and CE 1.4.0.0 releases.