Resolving a Remote Code Execution Exploit header

Magento 1.x Software Support Notice

For Magento Commerce 1, Magento is providing software support through June 2020. Depending on your Magento Commerce 1 version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.

For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Resolving a Remote Code Execution Exploit

Overview

We recently identified potential exploits that:

  • Enable an attacker to execute arbitrary code on your Magento server.
  • Create files with a .csv extension, create writable directories, and change the permission of existing files to world-writable (777).
noteNote: The preceding exploits require the attacker to have administrative access to your Magento Admin Panel Dashboard. You can resolve these issues with the patch discussed in this article.

Creating files with a .csv extension can lead to executing files like php.csv (only under circumstances discussed in this article). The ability to run code with a .csv extension is dangerous itself and could be combined with other attacks; for example, targeting other software installed on the server.

You can resolve this issue by changing your server's configuration as discussed in Resolving the File System Vulnerability.

Although Magento code is protected by a hash value, the possibility of a successful exploit cannot be eliminated because of the low entropy of the hash secret value.

We strongly recommend you to take precautions discussed in this article and apply a patch for your version of Magento Enterprise Edition or Community Edition.

Versions Affected

Magento software versions affected: The issue affects all shipping versions of Magento Community Edition (CE) and Enterprise Edition (EE).

Operating system versions affected:

  • CentOS 5.x and 6.x
  • RedHat Enterprise Linux 5.x and 6.x

Getting the Patch

The following table shows the patch you should get for your version of CE or EE.

Version Patch
EE 1.13 and 1.14, CE 1.8 and 1.9 SUPEE-1533_EE_1.13.x_v1.patch
EE 1.12, CE 1.7 SUPEE-1533_EE_1.12.x_v1.patch
EE 1.11, CE 1.6 SUPEE-1533_EE_1.11.x_v1.patch
EE 1.10.1, CE 1.5.1 SUPEE-1533_EE_1.10.1.x_v1.patch
EE 1.10.0.1, CE 1.5.0.1 SUPEE-1533_EE_1.10.0.x_v1.patch
EE 1.9 SUPEE-1533_EE_1.9.x_v1.patch

To get and apply your patch, see How to Apply and Revert Magento Patches.

importantImportant: After applying your patch, Magento strongly recommends you evaluate your vulnerability and configure PHP as discussed in Resolving the Vulnerability.

Determining Your Vulnerability to the File System Attack

To determine if you're vulnerable to execution of PHP code with a non-PHP extension, search your web server configuration file for the following string:

AddHandler application/x-httpd-php .php

The Apache configuration file is typically /etc/httpd/conf/httpd.conf

To confirm you're vulnerable:

  1. Create a file named test.php.csv anywhere in your web server's doocroot with the following contents:
    <?php
    phpinfo()
  2. In a web browser, display that page. (For example, http://www.example.com/path/test.php.csv
  3. If your browser saves the file or prompts you to save the file instead of displaying it, your server is not vulnerable. You can ignore the rest of this article.
  4. If a page similar to the following displays, your server is vulnerable. Continue with the next section.

Resolving the File System Vulnerability

noteNote: Magento strongly recommends you perform all tasks discussed in this section in a development or testing environment and not in a production environment.

To resolve this vulnerability, you must log in to the Magento server as a user with root privileges or as a user with permissions to change the web server configuration.

To resolve the vulnerability:

  1. Comment out the directive in httpd.conf by preceding it with a pound sign (#) as follows:
    # AddHandler application/x-httpd-php .php
  2. Add a block similar to the following:
    <FilesMatch \.php$>
    SetHandler application/x-httpd-php
    </FilesMatch>
    Some operating systems, like Red Hat Enterprise, might require different syntax such as:
    <FilesMatch \.php$>
        SetHandler php5-script
    </FilesMatch>
    The regular expression in this setting matches .php only to the final extension in the file name, applying the handler only to PHP files and preventing PHP from executing.