How to protect Magento from Amasty Product Feed local file disclosure

in SecurityTroubleshooting

We have noticed a number of our customers have installed Amasty Product Feed, risking their webshop to being exploited by attackers. This article helps you to update the extension to fix this security issue.

On our Hypernode platform we have blocked this local file disclosure exploit by default. This will prevent attackers from accessing your files but does not fix the bug. It is highly recommended if you use this extension to upgrade to the latest version (version 3.3.4 or higher)

What is Amasty Product Feed for Magento

Amasty Feed is a Magento extension to create product feeds. A product feed is a file with data about all your store products, which you upload to comparison shopping engines like Google Product Search, Nextag, Amazon.com, etc.

This bug was found and reported by Jeroen Boersma

What is the security problem and what are the consequences?

Due to the lack of parameter sanitizing in a script in use by this extension it is possible to download any file where you know the location of, for example app/etc/local.xml.
This way you could expose database credentials and admin paths.

This would mean that your shop could easily be abused. Attackers could, for example, download your local.xml which includes your webshop’s database credentials and admin URL.

More info about the bug in detail can be found on Jeroen’s github page

How to proceed when your shop is using this extension

Amasty fixed the bug in the extension and released a safe version: 3.3.4.
By upgrading to this version, your shop is protected against this security issue.

If you don’t know how to update Magento extensions, please ask your Technical contact to help you with the update.

Hypernode protection

We blocked all requests to the download URL of this extension to avoid attackers to abuse this exploit by adding an include file in /data/web/nginx/amastyfeed.conf on all Hypernodes. Details on changelog. This will prevent attackers from accessing your files but does not fix the bug.

If this blockage causes issues with other extensions, upgrade the extension first to version 3.3.4 or higher before overriding the blockage.
After upgrading the extension, you can adjust the amastyfeed.conf config file in /data/web/nginx to your needs or remove the file completely.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. 
Luckily, we know a lot of agencies that do know a lot about how Magento works.

If you need help, don’t hesitate to contact one of these agencies.

0