Security issue in Magento 1.3 and older & Magento Enterprise 1.6 and older

Last week we were contacted by a partner of ours, Jos Spyker, telling us that he found a bug in Magento CE up to 1.3.3.0 and Magento Enterprise up to 1.6. He helped us before when he found a security issue in Magento. Once again had a nice gem for us…

By exploiting this issue it’s possible to download all of a customer’s name and address information stored within the webshops database for all known customers. There is no authentication required, and in fact, one does’t even need to have an existing account with the webshop to exploit this bug.

Reproducing the issue

The steps one needs to take to reproduce this issue are quite simple. The issue lies within the JSON module of the Onestep checkout system used in these Magento versions. The JSON call handler contains insufficient checks and permits any request for information, as long as the visitor has products in their shopping cart. As such, a visitor can forge the JSON request and use it to get the contact information for all the customers that have previously shopped via the webshop.
The URL for this JSON request is available in Magento 1.3 shops under /checkout/onepage/getAddress/address/[id]. Normally the [id] tag is replaced by the user’s own user-id. The response to this is used to fill in or validate the forms during the checkout process. To test this, we set up an example shop with an example product and an example user. We can exploit the data in the following way:

Add an item to the shoppingcart
Proceed to checkout
Make a JSON call to get the contact information for customer id 1

After doing this, you should receive a file for download, which contains all the information in an easily readable JSON format. This file contains all the private user information. With this knowledge, it would be reasonably easy to write a script to add a product to the cart, proceed to checkout, and loop over all the available ID’s and download all users’ information.

Patching the issue

Luckily the issue can easily be patched by having the JSON file only return the currently logged in customer’s information. This lets the customer still get their own information, but doesn’t let them access other people’s information.

Please note! As with all changes to production websites, we advise you to apply this patch in a controlled environment first and test that everything still functions as desired. We’ve tried our best to make sure we didn’t break anything with this patch, but as always; YMMV, apply brain, and if it breaks you get to keep both halves.

The problem can be traced down to the file app/code/core/Mage/Checkout/controllers/OnepageController.php, to the getAddressAction function around line 225:

/**

* Address JSON

public function getAddressAction()

{

$this->_expireAjax();

$addressId = $this->getRequest()->getParam('address', false);

if ($addressId) {

$address = $this->getOnepage()->getAddress($addressId);

$this->getResponse()->setHeader('Content-type', 'application/x-json');

$this->getResponse()->setBody($address->toJson());

}

As you can see, this function hasn’t got a single bit of security built in. There’s some basic checks in the backend system that only allow these JSON calls during checkout, but nothing to protect your customer’s privacy. We added a simple check that only allows the address to be returned if the associated CustomerID is the same as the currently logged in Customer.

/**

* Address JSON

public function getAddressAction()

{

$this->_expireAjax();

$addressId = $this->getRequest()->getParam('address', false);

if ($addressId) {

$address = $this->getOnepage()->getAddress($addressId);

if(Mage::getSingleton('customer/session')->getCustomer()->getId() == $address->getCustomerId()) {

$this->getResponse()->setHeader('Content-type', 'application/x-json');

$this->getResponse()->setBody($address->toJson());

} else {

$this->getResponse()->setHeader('HTTP/1.1','403 Forbidden');

}

Impact, History and technical details

The impact of the bug can be quite large. None of the webshops out there would like their entire customer database out on the streets. Information like this is extremely valuable to phishers, hackers, scammers and other criminals, as well as the competition out there.

Affected versions

All Magento versions up to and including version 1.3.3
All Magento Enterprise versions up to version 1.7

History of the issue

2007-Aug-31: Magento releases Preview-version B1 0.6.12383, which already contains the bug
2010-Feb-12: Magento patches this issue in the 1.4 branch, but neglects to update the still active 1.3 branch.
2012-May-25: Issue found by Jos Spyker, Byte contacted
2012-May-29: Byte tests patch, notifies customers still running on 1.3 or lower
2012-May-31: Initial publication
2012-May-31: Magento notified by Byte

If you liked this post, say thanks by sharing it:

Vinai

Sorry, this is quite old news that already was “released” several times, the latest previos time was by Phillippe Humeau during Imagine.
Also, just to avoid confusion, I’d like to emphasise that EE 1.6 != CE 1.6 and EE 1.7 != CE 1.7. I’m pretty sure that a number of people only read the version number and miss the Magento flavor.
Anyway, thanks for posting, it just once again proves the point how important it is to follow best practices for customizations to keep the upgrade path open, and to do the upgrades, too.
http://about.me/hans2103 hans2103

Although the problem is already fixed in a new Magento version, we discovered multiple webshops worldwide still working with this old Magento version. It’s good to repeat the danger of working with outdated versions.