Menu
Magento database tool Magmi has a zero-day vulnerability

Magento database tool Magmi has a zero-day vulnerability

Magento has contacted the websites that appear to be vulnerable, Trustwave said

An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.

The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento's SQL database. Such a flaw can allow access to other files or directories in a file system.

"Successful exploitation results in access to Magento site credentials and the encryption key for the database," wrote Assi Barak, lead security researcher with Trustwave's SpiderLabs.

Barak wrote that Trustwave has notified Magmi's developer and Magento, which has contacted the operators of 1,700 websites that appear be vulnerable.

Magmi can be downloaded from GitHub or SourceForge, but only the version on SourceForge is vulnerable, Barak wrote.

The SourceForge version of Magmi, 0.7.21, appears to have been last updated on Dec. 2, 2014, while the GitHub version has been modified over the last month and is not vulnerable.

"While the two repositories are said to remain in sync, that doesn't appear to be the case," Barak wrote.

Trustwave picked up on the problem after seeing HTTP requests that looked like an exploit attempt. The structure of the requests -- which included "../.." -- showed "an attempt to access the Linux password file by backtracking the path."

Trustwave's finding suggests "that bad actors are aware of the vulnerability and how to exploit it," Barak wrote.

The vulnerable SourceForge version was downloaded some 2,800 times in September, Barak wrote. Magmi's SourceForge page on Tuesday showed it had been downloaded more than 500 times this week.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments