Magento bug left user credentials vulnerable: researcher
eBay's shopfront subsidiary had cross-site bug
Security researchers have reported a cross-store vulnerability in the Magento commerce platform that lets attackers create administrative users on any store.
An attacker could also use the privilege escalation to give themselves store credit on products they'd purchased from merchants.
As the full notice (PDF) explains, when logged in at one account, the attacker only needed to modify the HOST header to URI of the “target” account. The attacker would then be offered a login screen which would accept the credentials of the attack account, but give that user admin rights on the target.
This also enables what the author calls a “stealth mode” attack:
“In stealth mode we can make requests like add store credit, add gift cards with our own chosen monetary value, view customer information, change prices etc etc. All these requests however “impersonate” the store owner account so action are logged as this user and does not look so suspicious.”
Since Magento is an eBay company, Securatary is claiming the bug bounty on its report, and the company notes that Magento has issued a fix for the problem. ®