Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171030102422.15d1d9c2@pc1>
Date: Mon, 30 Oct 2017 10:24:22 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Magento: Leaking of config file local.xml

Magento is a web shop written in PHP.

Magento stores its configuration in a file local.xml, stored in the
webroot under app/etc/local.xml. As it is an xml file by default a web
server will not parse it in any way, but directly expose it to users.

Magento protects against this by shipping an .htaccess file that blocks
access to that directory. However that is not a sufficient
protection. .htaccess files are specific to the Apache web server.
Other web servers like nginx don't support .htaccess. This leaves users
with a situation where installation on any web server other than Apache
will by default lead to a configuration where the local.xml file can be
downloaded by anyone over the Internet. Even worse, the installation
doc doesn't mention this issue [1].

In June I scanned the Alexa top 1 Million and found 324 vulnerable
installations (out of 10501 magento installations in total). I tried to
inform the affected parties via their abuse contacts.


Recommended Fix
===============

The core of this issue is that using an XML file in the web root to
configure a PHP application is inherently dangerous. There is no
software-independent way to make sure such a configuration doesn't get
exposed. I think the only reasonable safe way to store configurations
for PHP applications is in .php files. If you want to keep using XML
configurations you could store them in a multiline string within a PHP
file.

As this is a severe change a mitigation would be to let the backend
interface check via javascript whether access to the config file is
properly prevented. If the local.xml is accessible magento should
refuse to operate.

At the very least this needs to be properly documented within the
installation docs.

[1] http://devdocs.magento.com/guides/m1x/install/installing.html


Comment / relation to other issues
==================================

There is a general problem for PHP applications that there is no
server-independent way to prevent access to files. Many use htaccess,
which is insufficient, as it only works on Apache. Recently the Free
Software Foundation had a security issue [2] with Drupal's
backup_migrate module that was based on a very similar problem.

Therefore it should generally be considered an anti-pattern to store
secret files within PHP apps in the web root. Possible solutions are
storage outside of the web root, storage in databases or storage within
PHP code (as it's commonly done for configuration files).

[2] http://www.openwall.com/lists/oss-security/2017/10/29/1

Disclosure
==========

2017-06-17 Reported via Magento's Bugcrowd Bug Bounty
2017-06-19 Reply that this has already been reported on 2017-03-28 by
someone else.
2017-06-24 I asked whether this will be fixed/changed and whether there
is a timeline for disclosing the original report. No reply.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.