Magento 2 Extension Security

I recently did a penetration test on a Magento 2 website for a client; what I found interesting was that the major vulnerabilities didn't lie in the client's code but rather in the extensions they were using.

These were extensions that appeared to be widely used in the Magento 2 community, yet they had extremely trivial vulnerabilities. This lead me down a rabbit hole of research in regards to Magento 2 security which is best summarized by the following two articles:

It would appear that extensions are a hot bed of security issues and often the cause of Magento 2 websites being hacked. With this in mind once my engagement was over I spent a bit of my own time looking into a couple of extensions over a weekend and what I found was again extremely trivial vulnerabilities.

This article details these discovered vulnerabilites (sadly not the ones on the client engagement), and also details relevent inbuilt magento 2 protections for anyone that might want to do research of their own. Lastly I finish off with general recommendations.

Identified vulnerabilities have been reported to the vendors, and added to the magevulndb repo.

Furthermore the Mageme - WebForms Pro M2 Vulnerability has been assigned CVE-2020-12635 and the Land of Coder - Form Builder for Magento 2 Vulnerability has been assigned CVE-2020-13423.


Magento 2 Inbuilt Protections

Magento 2 has a number of in built protections and security mechanisms. Some relevant ones for the topic of extensions are:
• .htaccess file inside of /pub/media specifically disallows the execution of php in order to prevent php webshells, as this directory is where user files are generally uploaded
• Admin session cookie uses HTTPONLY to stop javascript accessing admin tokens

On the first point this is dependent on the user's configuration; the default configuration of magento 2 disallows php execution however this could easily be modified for whatever reason by the host. Another point on file uploads is that if the extensions allows for a directory traversal then an attacker could easily just place the webshell in a directory that does allow php execution (among many other attacks).

On the second point an attacker exploiting XSS could still execute a JavaScript payload against the admin that performs unauthorized activities without the user's consent; inject a phishing form into the application; hook the victim with b33f; etc.

So it should be noted that while these protections help to mitigate certain attacks, alot can still be done by an attacker and thus its important for anyone developing extensions to adhere to secure code standards and properly security test their extension before launching.


Magezon - BlueFormBuilder

Want to create various forms for your customers to fill out but have no coding skills? Decide to hire a programmer but feel tired of waiting 5-7 days to build a complete form? And on top of that, feel worried about paying as much as hundreds of dollars for the programmer? Then let Blue Form Builder take the load off your mind.

The BlueFormBuilder uses a flawed (presumably built in house) function for removing malicious input such as script tags. This can be seen below:

public function removeScript($string, $allowableTags = '<p> <b>', $allowHtmlEntities = null)
    {
        if (is_array($string)) {
            foreach ($string as &$row) {
                if (is_string($row)) {
                    $row = $this->_stripTags($row, $allowableTags, $allowHtmlEntities);
                }
            }
        } else {
            $string = $this->_stripTags($string, $allowableTags, $allowHtmlEntities);
        }
        return $string;
    }

    private function _stripTags($string, $allowableTags, $allowHtmlEntities)
    {
        $string = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $string);
        $string = preg_replace('#<style(.*?)>(.*?)</style>#is', '', $string);
        // $string = $this->filterManager->stripTags(
        //     $string,
        //     ['allowableTags' => $allowableTags, 'escape' => $allowHtmlEntities]
        // );
        return $string;
    }
Line 365 of \app\code\blueform\builder\core\helper\data.php

Its extremely trivial to bypass this, the $allowableTags parameter is not used by the stripTags function which completely voids the $allowableTags parameter being set to <p> and <b> (not to say that would have provided any protection anyway).

We can see this being exploited below using an <a> tag in the name field:

There is plenty of other tags and tag options that can be executed in nearly every field within the extension, but for the sake of readability ill leave it at there. Vulnerabilities were reported to Magezon, and have been reported as fixed however I haven't verified this; nor have I seen a patch pushed to their website yet.


Mageme - WebForms Pro M2

The plugin doesn’t require any coding skills to use it. Be it a simple sidebar contacts form or 50 questions survey our form builder can handle it with ease. Our form builder has been known for its reliability and has earned recognition among Magento 2 professionals.

The Mageme Webforms Pro M2 extension contained a couple of stored XSS vulnerabilities, the first one was rather trivial to exploit in the 'textarea' field option for forms; simply place script tags in the field and viola:

The second one was a bit more interesting; it related to how the extension handled account usernames. If the username had a payload in it then the extension would execute this payload when loaded as shown in the following screenshot:

Vulnerabilities were reported to Mageme and resolved in 2.9.17/2.9.18; the developer was extremely pleasant to work with and resolved the issues within the day of being reported.

Another interesting function in this extension was the upload function which while not directly exploitable was insecure from a secure coding perspective. The relevant code for the file upload extension filter can be found below:

public function getRestrictedExtensions()
    {
        return array('php', 'pl', 'py', 'jsp', 'asp', 'htm', 'html', 'js', 'sh', 'shtml', 'cgi', 'com', 'exe', 
        'bat', 'cmd', 'vbs', 'vbe', 'jse', 'wsf', 'wsh', 'psc1');
    }
Line 541 of app/code/vladimirpopov/webforms/model/field.php
$restricted_extensions = $this->getRestrictedExtensions();
                    // check for restricted extensions
                    if (count($restricted_extensions)) {
                        preg_match('/\.([^\.]+)$/', $file['name'], $matches);
                        $file_ext = strtolower($matches[1]);
                        if (in_array($file_ext, $restricted_extensions)) {
                            $errors[] = __('Uploading of potentially dangerous files is not allowed.');
                        }
Line 968 of app/code/vladimirpopov/webforms/model/field.php

Its best practice to use a whitelist instead of a blacklist for extensions and we can see exactly why in this case as the blacklist does not include the extensions php5 and php4.  However in the case of this extension the saved file name is randomly generated, malforming the extension. This combined with the default Magento 2 configuration means that despite the insecure code the extension file upload isn't directly exploitable to any valuable level.


Land of Coder - Form Builder for Magento 2

Magento 2 Form Builder is a comprehensive solution that will enable the Magento 2 store owners to create multiple contact forms with eye-catching template.

This extension contained multiple cases of trivially exploitable Stored Cross Site Scripting due to not validating user input on multiple fields despite having a complex (and somewhat convoluted) function that removes 'dangerous' input.
I guess the developers didn't expect someone to try put malicious input in the User-Agent?

Stored Cross Site Scripting in the User-Agent field:

Stored Cross Site Scripting in the Current_url field:

Stored Cross Site Scripting in the email field:

Vulnerabilities were reported to Land of Coder at their request, however no direct response to said vulnerabilities has been provided as of writing. Out of curiosity I also went off the topic of web forms and tested the Chat System by Land of Coder extension which quite literally had no validation or escaping as shown:

Don't even need to open up Burp for this one!


Remediation and Next Steps

These vulnerabilities show that Magento 2 extensions can be particularly insecure where even a cursory pass over these extensions will yield potentially exploitable vulnerabilities.

If you're an Admin of a Magento 2 website and worried about the security of your extensions then I recommend that you use the following vulnerability scanner which will scan over your Magento 2 installation and cross check the installed extensions with a list of known vulnerable extensions:

However this will only detect known vulnerabilities and doesn't provide a level of assurance regarding the actual security of the extension; in which case the only options are to have the code audited or penetration tested.

If you're a security researcher then welcome to the wild west of Magento 2 extensions; its like the old days of Wordpress addons! I'd highly recommend going out and grabbing a few extensions and having a crack at it, I think there's alot out there in terms of research to be done. Alot of potentially untested payment extensions out there...