188BET����

Threat Analysis Report from FortiGuard Labs

��

While e-commerce gives us a more convenient life, it is currently facing a growing number of threats all across the internet. According to the for 2018, the e-commerce platform Magento Commerce currently enjoys more than a 14% market share, making it the second largest e-commerce platform in the world. Magento’s customers include some highly recognizable companies, including , , and .

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in . This XSS vulnerability is caused by Magento failing to sanitize user-supplied data before inserting it into a dynamically generated widget form. While this XSS vulnerability only exists on the Magento Administrator’s page, it could allow a remote attacker to execute arbitrary code on a victim’s browser and then gain control of Magento high-privilege accounts to access sensitive data or take control of the vulnerable web sites.

This XSS vulnerability affects Magento Commerce 2.1 prior to 2.1.16, Magento Commerce 2.2 prior to 2.2.7.

Analysis

When editing a Magento site page, there are two modes: WYSIWYG Mode and HTML Mode. In the WYSIWYG Mode, one of the buttons is called “Insert Widget…”(see Figure 1). Figure 2 shows that we can directly call the Insert Widget function’s form by accessing the link .��

The form in Figure 2 is generated by a php function in Widget.php, which is located at /vendor/magento/module-widget/Block/Adminhtml/Widget.php (). It processes the user-supplied URL, filters the value of the parameter “widget_target_id”, and inserts it into a script tag, as shown in Figure 3. For example, when we access the link , the value of widget_target_id will be inserted into the script tag, as shown in Figure 4.

This function only sanitizes the user-supplied data by closing it with a symbol, such as “"”, “}” and “;”. However, this process can be easily bypassed by adding another set of symbols to close the current function, such as ")});”, and commenting out all the following codes by adding a HTML comment tag “<!--”. This can be seen in the following example .��

At this point, an attacker could insert arbitrary code into this web page. As we can see, at the beginning of this script tag it is calling a function named “require”, but the require function doesn’t exist. However, we can create the “require” function, add our codes into it, and then execute it. For example, by accessing the following PoC, the code we provide will be executed: .

��

Solution

All users of vulnerable versions of Magento Commerce are encouraged to upgrade to the latest Magento version or apply the latest patches immediately. Additionally, organizations that have deployed 188BET���� IPS solutions are already protected from this vulnerability with following signature:

Adobe.Magento.Widget.XSS

��

Learn more about��FortiGuard Labs��and the FortiGuard Security Services��portfolio.��Sign up��for our weekly FortiGuard Threat Brief.��

Know your vulnerabilities – get the facts about your network security.��A��188BET���� Cyber Threat Assessment��can help you better understand:��Security and Threat Prevention,��User Productivity, and��Network Utilization and Performance.

Read about the FortiGuard��Security Rating Service, which provides security audits and best practices.