Menu
Magento database tool Magmi has a zero-day vulnerability

Magento database tool Magmi has a zero-day vulnerability

Magento has contacted the websites that appear to be vulnerable, Trustwave said

An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.

The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento's SQL database. Such a flaw can allow access to other files or directories in a file system.

"Successful exploitation results in access to Magento site credentials and the encryption key for the database," wrote Assi Barak, lead security researcher with Trustwave's SpiderLabs.

Barak wrote that Trustwave has notified Magmi's developer and Magento, which has contacted the operators of 1,700 websites that appear be vulnerable.

Magmi can be downloaded from GitHub or SourceForge, but only the version on SourceForge is vulnerable, Barak wrote.

The SourceForge version of Magmi, 0.7.21, appears to have been last updated on Dec. 2, 2014, while the GitHub version has been modified over the last month and is not vulnerable.

"While the two repositories are said to remain in sync, that doesn't appear to be the case," Barak wrote.

Trustwave picked up on the problem after seeing HTTP requests that looked like an exploit attempt. The structure of the requests -- which included "../.." -- showed "an attempt to access the Linux password file by backtracking the path."

Trustwave's finding suggests "that bad actors are aware of the vulnerability and how to exploit it," Barak wrote.

The vulnerable SourceForge version was downloaded some 2,800 times in September, Barak wrote. Magmi's SourceForge page on Tuesday showed it had been downloaded more than 500 times this week.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments