OpenMage Magento LTS Insecure File Upload Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in OpenMage Magento Long Term Support (LTS) versions prior to 20.17.0. The issue arises in the product custom option file upload feature, which employs an inadequate blocklist to filter out dangerous file types. This blocklist can be easily circumvented by using alternative PHP-executable extensions, allowing malicious files to be uploaded. The uploaded files are stored in a publicly accessible directory that may not have proper execution restrictions, enabling remote code execution if the directory is not configured to deny script execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential for full compromise through the upload of a web shell. This could lead to unauthorized access and manipulation of server resources, including database credentials and sensitive customer information. Additionally, such access could be used to inject malicious code into content served by the application.

Reproduction

To reproduce this vulnerability, upload a file with a PHP-executable extension that is not blocked by the application's upload validation. This can be done using a tool like curl to send a POST request to the vulnerable upload endpoint, including the malicious file as a form data attachment. Once the file is uploaded, it can be accessed through the media/custom_options/quote/ directory, where the lack of execution restrictions for certain server configurations allows the uploaded file to be executed as a script, resulting in remote code execution.

Remediation

Users can upgrade to OpenMage Magento LTS version 20.17.0 or later, where this vulnerability has been patched.