Magento database tool Magmi has a zero-day vulnerability

Magento has contacted the websites that appear to be vulnerable, Trustwave said

An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.

The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento's SQL database. Such a flaw can allow access to other files or directories in a file system.

"Successful exploitation results in access to Magento site credentials and the encryption key for the database," wrote Assi Barak, lead security researcher with Trustwave's SpiderLabs.

Barak wrote that Trustwave has notified Magmi's developer and Magento, which has contacted the operators of 1,700 websites that appear be vulnerable.

Magmi can be downloaded from GitHub or SourceForge, but only the version on SourceForge is vulnerable, Barak wrote.

The SourceForge version of Magmi, 0.7.21, appears to have been last updated on Dec. 2, 2014, while the GitHub version has been modified over the last month and is not vulnerable.

"While the two repositories are said to remain in sync, that doesn't appear to be the case," Barak wrote.

Trustwave picked up on the problem after seeing HTTP requests that looked like an exploit attempt. The structure of the requests -- which included "../.." -- showed "an attempt to access the Linux password file by backtracking the path."

Trustwave's finding suggests "that bad actors are aware of the vulnerability and how to exploit it," Barak wrote.

The vulnerable SourceForge version was downloaded some 2,800 times in September, Barak wrote. Magmi's SourceForge page on Tuesday showed it had been downloaded more than 500 times this week.

Join the CSO newsletter!

Error: Please check your email address.

More about LinuxTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts