Menu
Magento database tool Magmi has a zero-day vulnerability

Magento database tool Magmi has a zero-day vulnerability

Magento has contacted the websites that appear to be vulnerable, Trustwave said

An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.

The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento's SQL database. Such a flaw can allow access to other files or directories in a file system.

"Successful exploitation results in access to Magento site credentials and the encryption key for the database," wrote Assi Barak, lead security researcher with Trustwave's SpiderLabs.

Barak wrote that Trustwave has notified Magmi's developer and Magento, which has contacted the operators of 1,700 websites that appear be vulnerable.

Magmi can be downloaded from GitHub or SourceForge, but only the version on SourceForge is vulnerable, Barak wrote.

The SourceForge version of Magmi, 0.7.21, appears to have been last updated on Dec. 2, 2014, while the GitHub version has been modified over the last month and is not vulnerable.

"While the two repositories are said to remain in sync, that doesn't appear to be the case," Barak wrote.

Trustwave picked up on the problem after seeing HTTP requests that looked like an exploit attempt. The structure of the requests -- which included "../.." -- showed "an attempt to access the Linux password file by backtracking the path."

Trustwave's finding suggests "that bad actors are aware of the vulnerability and how to exploit it," Barak wrote.

The vulnerable SourceForge version was downloaded some 2,800 times in September, Barak wrote. Magmi's SourceForge page on Tuesday showed it had been downloaded more than 500 times this week.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments