Jekyll2022-12-29T19:43:07+00:00https://bojan.zelic.io/feed.xml/home/bojanSoftware EngineerBojan ZelicMagento Product File Upload Vulnerability2016-09-14T00:00:00+00:002016-09-15T01:11:26+00:00https://bojan.zelic.io/dev/magento-product-file-upload-vulnerability<p>I’ve recently discovered an arbitrary file download security vulnerability in the a magento plugin: <a href="http://www.magentocommerce.com/magento-connect/product-file-upload-2.html">Product File Upload</a>. Honestly.. I’m not sure what we could have expected from a 10 dollar plugin. It opens up a huge security hole that grants access to every file on the server. The vulnerability allows anyone to basically download any file. Unrestricted.</p>
<p>I’ve submitted the vulnerability to KSV Treasurebox with no response.</p>
<p>The exploit boils down to not sanitizing user inputs. It’s not an uncommon vulnerability that inexperienced developers face.</p>
<p>Take a look at the example of a url that the plugin generates:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/index.php/productfileupload/index/download?file=productfileupload/productfileupload/File-990000.jpg
</code></pre></div></div>
<p>looks bad right? It is. I wonder what would happen if we were to alter the GET paramater with… i don’t know… lets say the following:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/index.php/productfileupload/index/download?file=.htaccess
/index.php/productfileupload/index/download?file=../../../../etc/passwd
/index.php/productfileupload/index/download?file=../etc/local.xml
</code></pre></div></div>
<p><img src="/assets/images/frustrated.gif" alt="Frustrated" /></p>
<p>Here’s an example /etc/passwd file that was able to be retrieved off a server with the plugin installed. If we ran apache as root (sidenote: never run apache as root) we could even get the /etc/shadow file and other important documents off the server.</p>
<p><img src="/assets/images/passwd.png" alt="Passwd file" /></p>
<h4 id="what-can-we-learn">What can we learn?</h4>
<p>If you’re doing something similar in your code. Stop. Store the file location in the database and load the file up via a guid or something. At the very least don’t allow traversing up directories in the GET parameter. Always sanitize your inputs and never assume that something like this can’t happen.
In conclusion…</p>
<p>Good portion of sites are affected…. if you have this extension installed I suggest you get rid of this plugin ASAP. Doing a simple google query reveals a sample list of potential targets. But there could be alot more.</p>
<p>In conclusion…</p>
<p>Good portion of sites are affected…. if you have this extension installed I suggest you get rid of this plugin ASAP. Doing a simple google query reveals a sample list of potential targets. But there could be alot more.</p>
<p><img src="/assets/images/product_file_upload_google_search.png" alt="Google Search" /></p>Bojan ZelicI’ve recently discovered an arbitrary file download security vulnerability in the a magento plugin: Product File Upload. Honestly.. I’m not sure what we could have expected from a 10 dollar plugin. It opens up a huge security hole that grants access to every file on the server. The vulnerability allows anyone to basically download any file. Unrestricted.Kohana - Caching Database Columns2014-11-30T00:00:00+00:002014-12-01T01:11:26+00:00https://bojan.zelic.io/dev/kohana-caching-database-columns<p>Did you know that an extra query gets run every time you initialize a new model in Kohana?</p>
<p>It looks like this</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SHOW COLUMNS FROM table_name
</code></pre></div></div>
<p>Personally I believe one of the more annoying “features” of Kohana’s ORM is that caching doesn’t occur with database models. When you enable debugging, & view some of the queries that are run, the “List Columns” query might actually be one of the heaviest.</p>
<p>If you’re using multiple models on a page or if your database consists on a separate networked computer. It would make sense to reduce the extra trips to the database, & cache the results locally. Especially considering how easy it is to include this code in your project.</p>
<p>I found some code on their forums and wanted to share it. Considering they’re moving their forums. This might be difficult to find in the future so I’m hoping this post may help somebody someday.
ORM.php</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>class ORM extends Kohana_ORM
{
public function reload_columns($force = false)
{
if ($force === true || empty($this->_table_columns))
{
$table_column_cache_name = APPPATH . "cache/model_table_columns_" . $this->_object_name . ".php";
// Check if we have a cache file
if(file_exists($table_column_cache_name))
{
//Grab our table columns from the include
$this->_table_columns = include $table_column_cache_name;
}
else
{
//Grab column information from database
$this->_table_columns = $this->list_columns(true);
//Export our table columns as php source to the cache file
file_put_contents($table_column_cache_name, "<?php return ". var_export($this->_table_columns, true) . ";");
}
}
return $this;
}
}
</code></pre></div></div>
<p>Basically all you need to do is extend the Kohana_ORM class with your own version & override the reload_columns function. Hopefully you automated migrations and all you’d need to do is insert the following line after they are run.
start.sh</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#!/bin/bash
./minion migrations:run
rm ./application/cache/model_table_columns*
</code></pre></div></div>
<p>I’ve recently used this code in a project & found alot of success with it.</p>
<p>Credits: <a href="http://forum.kohanaframework.org/discussion/3949/orm-file-based-column-cache/p1">Kohana Forums</a></p>Bojan ZelicDid you know that an extra query gets run every time you initialize a new model in Kohana?