Security checks in beta

in Security Tags: MagereportSecurity

Although we aspire to deliver all our Magereport.com security checks (Magento patches in particular) as perfect as possible, we’ve noticed due to the short amount of time between patch releases and developing a check, this is not always possible. Therefore sometimes we release a check in Beta. This article will explain why the check is in beta and gives you the technical details about how we developed this check. This way, you can check your Magento shop even more thoroughly.

As soon as the check is no longer in beta status, we’ll update this article. At this moment the security checks in beta are:

  • Magento patch SUPEE-7405 check

Magento patch SUPEE-7405

Most of the changes in SUPEE 7405 are in the admin backend, and MageReport does not always know where the admin backend is located and certainly can’t login. We also can’t check for most XSS attacks as this needs a real admin to log in. This makes SUPEE 7405 particularly hard to test for. We are working on improving the check. Please notify us if you have a shop that gives an incorrect result in MageReport, so that we can use that case to improve our check.

How does the SUPEE-7405 check work?

There are two changes in behavior that the check uses to determine whether your shop has SUPEE 7405 installed:

  1. The validation of the `form_key` parameter when deleting something from your shopping cart.
  2. The case sensitivity of the action that is used to add something in the shopping cart.

Form key validation when deleting from shopping cart

SUPEE-7405 adds validation to the deleteAction in the CartController. It checks whether a valid `form_key` is submitted. This prevents other sites from deleting things from your shopping cart through an CSRF attack. Normally you would provide an item ID to the delete action to indicate which item you want to delete. If you pass no item ID, however, the action simply did nothing. With the new validation, it now raises an error if the validation does not succeed.

We use this in the MageReport check: we do a post request to `/checkout/cart/delete` and check whether there is an error message in the resulting page. If there is, the form key validation failed, which means the patch is applied.

Case sensitivity when adding to the shopping cart

Several vulnerabilities in Magento had to do with the case sensitivity of URLs. The code would check whether someone is allows to access `forgotpassword`, but knows nothing of `ForgotPassword`. Another piece of code that is case insensitive would then still serve the page, although you shouldn’t have access to it. To prevent these kinds of attacks Magento made some URLs case insensitive with patch SUPEE 7405. The addAction in the CartController calls the `_goBack` function that contains the following code:

   if ((strtolower($this->getRequest()->getActionName()) == 'add') &&
!$this->getRequest()->getParam('in_cart')) {

$this->_getSession()->setContinueShoppingUrl($this->_getRefererUrl());
  }

The ‘strtolower‘ here is new, making the comparison to ‘add‘ case insensitive with patch SUPEE 7405. The second line saves the HTTP Referer header, to show on the shopping cart page. In the MageReport check for this patch we use this to our advantage by checking whether the ‘/checkout/cart/add‘ URL is case sensitive or not. We request ‘/checkout/cart/aDD‘ with a specific referer header. When that referer header is used, it means that the ‘strtolower‘ is present and the patch is applied.

Future improvements

We currently use two changes in behaviors in our check (as written above). There are some more changes that we can use, but we still need to investigate these further:

  • The ‘forgotpassword’ action in the admin has become case insensitive, and now checks the form key. This can be used to check whether the patch is installed if you know the admin URL. We don’t always have the admin URL available in MageReport and we are hesitant to ask people for it since it is supposed to be kept secret.
  • Posting of guest reviews now has a case insensitive URL. This can also be used to check for the patch, but only works if you have guest reviews disabled for your shop.

Feel free to contact us

We are working on improving the check. Please notify us if you have a shop that gives an incorrect result in MageReport, or when you have an idea on how to improve the check so that we can use that case to improve our check.

0