An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops.

The flaw was discovered by researchers from security consultancy DefenseCode and is located in a feature that retrieves preview images for videos hosted on Vimeo. Such videos can be added to product listings in Magento.

The DefenseCode researchers determined that if the image URL points to a different file, for example a PHP script, Magento will download the file in order to validate it. If the file is not an image, the platform will return a “Disallowed file type” error, but won’t actually remove it from the server.
An attacker with access to exploit this flaw could achieve remote code execution by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading the malicious PHP file itself.

Once on the server, the PHP script can act as a backdoor and can be accessed from an external location by pointing the browser to it. For example, attackers could use it to browse the server directories and read the database password from Magento’s configuration file. This can expose customer information stored in the database, which in the case of online shops, can be very sensitive.

The only limitation is that this vulnerability cannot be exploited directly because the video-linking functionality requires authentication. This means attackers need to have access to an account on the targeted website, but this can be a lower-privileged user and not necessarily an administrator.

The authentication obstacle can also be easily overcome if the website doesn’t have the “Add Secret Key to URLs” option turned on. This option is intended to prevent cross-site request forgery (CSRF) attacks and is enabled by default.

CSRF is an attack technique that involves forcing a user’s browser to perform an unauthorized request on a website when visiting a different one.

“The attack can be constructed as simple as