{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openmage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenMage LTS"],"_cs_severities":["high"],"_cs_tags":["openmage","rce","file-upload","php"],"_cs_type":"advisory","_cs_vendors":["OpenMage"],"content_html":"\u003cp\u003eOpenMage LTS is susceptible to remote code execution (RCE) due to an insufficient blocklist in its custom option file upload functionality. The application fails to adequately filter PHP-executable file extensions, only blocking \u003ccode\u003e.php\u003c/code\u003e and \u003ccode\u003e.exe\u003c/code\u003e. Attackers can bypass this restriction by uploading files with alternative PHP extensions like \u003ccode\u003e.phtml\u003c/code\u003e, \u003ccode\u003e.phar\u003c/code\u003e, \u003ccode\u003e.php3\u003c/code\u003e, \u003ccode\u003e.php4\u003c/code\u003e, \u003ccode\u003e.php5\u003c/code\u003e, \u003ccode\u003e.php7\u003c/code\u003e, and \u003ccode\u003e.pht\u003c/code\u003e. These uploaded files are stored in the \u003ccode\u003emedia/custom_options/quote/\u003c/code\u003e directory. If the server configuration (e.g., Apache with PHP-FPM or Nginx with a misconfigured .phtml handler) does not restrict script execution in this directory, attackers can execute arbitrary code. Successful exploitation allows attackers to compromise the server fully. The vulnerability exists in versions of OpenMage LTS up to and including 20.16.0. The vulnerable file is \u003ccode\u003eapp/code/core/Mage/Catalog/Model/Product/Option/Type/File.php\u003c/code\u003e within the \u003ccode\u003e_validateUploadedFile()\u003c/code\u003e function.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenMage LTS instance with a vulnerable configuration (e.g., Apache with PHP-FPM) and a file upload form using the custom options feature.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP webshell (e.g., \u003ccode\u003eshell.phtml\u003c/code\u003e) designed to execute system commands via HTTP GET parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file, \u003ccode\u003eshell.phtml\u003c/code\u003e, through the product custom option file upload form, bypassing the insufficient file extension blocklist.\u003c/li\u003e\n\u003cli\u003eOpenMage stores the uploaded file in the \u003ccode\u003emedia/custom_options/quote/\u003c/code\u003e directory, creating subdirectories based on the first two characters of the filename.\u003c/li\u003e\n\u003cli\u003eOpenMage calculates the filename based on the MD5 hash of the file content and stores it with the original extension (e.g., \u003ccode\u003ed9bb4d647f16d9e7edfe49216140de2879.phtml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a URL to access the uploaded webshell, pre-calculating the full path based on the filename and file content.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the crafted URL, including a \u003ccode\u003ecmd\u003c/code\u003e parameter with the desired system command.\u003c/li\u003e\n\u003cli\u003eThe server executes the PHP code in the uploaded webshell, resulting in arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve Remote Code Execution (RCE) on the OpenMage LTS server. This can lead to full server compromise, enabling attackers to exfiltrate sensitive data such as database credentials, customer PII, and payment information. Attackers can use the compromised server as a pivot point to move laterally within the internal infrastructure and potentially inject malicious code into served content, leading to a supply chain attack. The vulnerability affects versions of OpenMage LTS up to and including 20.16.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMage LTS to a patched version that includes a comprehensive file extension blocklist.\u003c/li\u003e\n\u003cli\u003eConfigure your web server (e.g., Apache, Nginx) to explicitly deny script execution in the \u003ccode\u003emedia/custom_options/quote/\u003c/code\u003e directory to prevent execution of uploaded files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect OpenMage Webshell Upload via .phtml\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to files with PHP-executable extensions (e.g., \u003ccode\u003e.phtml\u003c/code\u003e, \u003ccode\u003e.phar\u003c/code\u003e, \u003ccode\u003e.php3\u003c/code\u003e, \u003ccode\u003e.php4\u003c/code\u003e, \u003ccode\u003e.php5\u003c/code\u003e, \u003ccode\u003e.php7\u003c/code\u003e, \u003ccode\u003e.pht\u003c/code\u003e) in the \u003ccode\u003emedia/custom_options/quote/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eApply web server hardening configurations as referenced in the advisory to prevent execution of arbitrary PHP files in media directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:00Z","date_published":"2024-05-02T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-openmage-rce/","summary":"OpenMage LTS is vulnerable to remote code execution due to an incomplete file upload blocklist, allowing attackers to upload PHP-executable files and execute arbitrary code on the server.","title":"OpenMage LTS Remote Code Execution via File Upload Bypass","url":"https://feed.craftedsignal.io/briefs/2024-05-openmage-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Openmage","version":"https://jsonfeed.org/version/1.1"}