sansecio / magevulndb Goto Github PK

List of Magento extensions with known security issues.

PHP 97.75% Shell 2.25%

magevulndb's Introduction

Magento Vulnerability Database

List of Magento 1 and 2 integrations with known security issues. Objective: easily identify insecure 3rd party software in your Magento code base. See our blog for the rationale: Bad extensions now main source of Magento hacks & a solution

Magento 1 list / Magento 2 list

The list contains these columns:

Vendor_Name of the module
- Reported under M1 using n98-magerun dev:module:list or Mage::getConfig()->getNode()->modules
- Reported under M2 using bin/magento module:status
The earliest safe version to use. Older entries are considered insecure.
Part of the URL that attackers use to exploit this module. Can be used to search logfiles for malicious activity. (optional)
Reference URL describing the problem. If no public statement is available, then the name of the researcher who discovered it.
URL with upgrade instructions (optional)

Context

Magento is an attractive target for payment skimmers and the number of attacks has increased steadily since 2015. In 2018, attackers shifted from Magento core exploits (eg, Shoplift, brute force attacks on admin passwords) to 3rd party software components. This poses a practical problem: there is no central place where one can (programmatically) find out whether a particular module version has known security issues. This repository solves that!

Usage

You can quickly scan your site against this repository using a Magerun module or a single-line command. Both require command line or SSH access to the server. Magerun is recommended as it can be easily scheduled or used on an ongoing basis, and provides better output. Both approaches load the latest vulnerability data on every run.

Magerun module (recommended)

Install n98-magerun for Magento 1 or Magento 2.
Install the Magento Vulnerability Database plugin: For Magento 1:

mkdir -p ~/.n98-magerun/modules
cd ~/.n98-magerun/modules
git clone https://github.com/gwillem/magevulndb.git

For Magento 2:

mkdir -p ~/.n98-magerun2/modules
cd ~/.n98-magerun2/modules
git clone https://github.com/gwillem/magevulndb.git

Scan your Magento install:

n98-magerun.phar dev:module:security

You can also use the -q flag to limit output to findings only.

n98-magerun.phar dev:module:security -q

You can check the exit code, for example to fail a build when a vulnerable module is detected:

exit code 0: no known vulnerabilities found
exit code 1: known vulnerabilities found
exit code 2: vulnerability data could not be loaded

No magerun installed under Magento 1?

To quickly check a Magento installation for vulnerable modules, run this command in SSH at your Magento 1 site root:

php -r 'require_once("app/Mage.php");Mage::app();$config=Mage::getConfig()->getNode()->modules;$found=array();$list=fopen("https://raw.githubusercontent.com/gwillem/magevulndb/master/magento1-vulnerable-extensions.csv","r");while($list&&list($name,$version)=list($row["module"],$row["fixed_in"],,$row["reference"],$row["update"])=fgetcsv($list)){if(isset($name,$version,$config->{$name},$config->{$name}->version)&&(empty($version)||version_compare($config->{$name}->version,$version,"<"))){$found[]=$row;}}if($found){echo "Found possible vulnerable modules: ".print_r($found,1);}else{echo "No known vulnerable modules detected.";}'

You can check the exit code, for example to fail a build when a vulnerable module is detected:

exit code 0: no known vulnerabilities found
exit code 1: known vulnerabilities found

This script only works under Magento 1. For Magento 2, use Magerun instead.

Contributing

Contributions welcome. Requirements:

Either "name" or "uri" (in case of exploitation in the wild) is required.
A reputable, verifiable source is required.
In case of admin URL disclosure: the issue is not fixed by disabling the security compatibility mode

Only security issues that have verified proof or are being actively exploited in the wild should be considered.

Please consider responsible disclosure before submitting zero-day vulnerabilities. If no immediate abuse is likely, please notify the vendor first and allow 30 days for a patch & release statement.

FAQ

Why a new repository?

There are many good initiatives already, however they either lack a simple web GUI, are too complicated to maintain or do not cover all extensions out there. For Magento 2, there is already excellent support via composer, please refer to Roave's SecurityAdvisories for automated composer integration. Still, Roave's approach requires you to run a composer command to check for new updates. With this Magerun command, you can leave the composer files untouched. Obviously, it also works on Magento 1 and 2 installs that are not managed by composer at all.

What if a module has multiple security issues over time?

We register the newest only and advice everybody to upgrade to the latest version. If people want to stick to an older (possible insecure) version, they should study the relevant changelogs.

What about modules that are known under several names?

The name as registered in the code (and output by n98-magerun dev:module:list) is leading. If a module is known under several (code) names, then we should create duplicate entries, so that automated tools will not ignore such an entry.

What if I don't know the module name?

If you have a URL that is being attacked but don't know what module it belongs to, submit it but leave the name "?". It will be backfilled when the actual module is identified.

There are multiple sources, which should I use?

If the vendor has issued a security statement, that should be leading. Otherwise, a statement by a security researcher (Blog/Twitter) can be used. If a vendor has issued a statement that is false or misleading, an independent statement should take precedence.

We could add more information X?

Indeed, but the main advantage of a simple CSV with few columns is that it's easy to browse, maintain and extend. Other projects have stalled because there is too much overhead in vulnerability administration. The primary objective of this repository is to support a n98-magerun command. If people want more information, they can look it up via the referenced source.

What is the Relevant URI column for?

This can be used by tools to filter "suspicious" web traffic from the logs, for example to check if malicious activity has already taken place. The URI should be enough to uniquely match the module's vulnerable URL(s), if possible.

What if there are multiple relevant URLs?

Seperate them with a ";"

What if a module does not have version numbers?

Use the date of the fix in YYYY-MM-DD notation.

What if the vendor provides a fix but does not update the version number?

Some Magento 1 modules, such as Mirasvit (discussion) do not use the standard version numbering, so vulnerable versions cannot be automatically detected. To eliminate false alarms, all such modules are prefixed with an underscore, so the automatic module parser will not recognize them. It is suboptimal but better than not storing information at all.

Acknowledgements

These Magento/security professionals have contributed valuable research and code:

Ryan Hoerr - ParadoxLabs
Peter O'Callaghan
Max Chadwick - Something Digital
Jeroen Vermeulen - MageHost.pro
Roland Walraven - MageHost.pro
Martin Pachol - MageMojo
Jisse Reitsma - Yireo
Niko Granö - Lamia.fi
Martien Mortiaux - AlterWeb.nl

License

The information and code of this repository is provided free of charge, without warranty or assumed liability of any kind. Merchants and development agencies are free to use this data to assess their own stores. It is not allowed to use or include this data in commercial products or offerings.

Contact

[email protected]

magevulndb's People

Contributors

Stargazers

Watchers

magevulndb's Issues

How to mark "Potential vulnerable module found" as safe?

When magevulndb marks an extension as potentially unsafe:

Potential vulnerable module found: Foo_Bar
Matched by route: This may be a false positive where your installed module
shares it with a vulnerable module, but it should be investigated further.
Please contribute info about the module to MageVulnDb if it is relevant.

And this is a false positive, and the module is project specific (i.e. there is value to add it to MageVulnDb), how can I mark the module as safe so that our build passes?

Todo: Cardgate_Payment XSS

Roger Keulen reported:

XSS-Attack vector in Cardgate module. Vendor warned but [did not act].

https://github.com/cardgate/magento2/blob/master/Controller/Payment/UpdatePM.php

(i assume the XSS is in the “pm” param, and it shows in admin when looking at the order??)

No, it’s frontend. No admin needed.

Aheadworks_Layerednav

https://aheadworks.com/layered-navigation-extension-for-magento-2#changelog

Fixed MDVA-43395 and MDVA-43443 vulnerabilities

This suggests that the Magento core vulnerabilities somehow also exists in this extension, which sounds odd. But Aheadworks wrote the following to customers, so out of precaution we should include <v2.3.1 in the vulnerability DB.

MW_FreeGift

MW_FreeGift v3.3.3.7 for Magento 1 has a (most likely) unserialize vulnerability that is actually being exploited in the wild. I could not find a vendor provided changelog. The vendor also offers a version for Magento 2, its security status is unknown.

// MW/FreeGift/controllers/CartController.php
$params = unserialize(base64_decode($this->getRequest()->getPost('data')));

Multi branch version support

As discussed here. Some extensions release multiple branches, our data format currently doesn't support non-sequential security classification. #92

More POI probes

185.198.56.4 - [05/Jan/2019:16:44:21 +0000] "GET /customerconnect/rfqs/configureproduct/?options=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" ""
185.198.56.4 - [06/Jan/2019:17:16:07 +0000] "GET /vendors/credit/withdraw/review/?data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" ""
109.237.138.20 - [06/Jan/2019:18:23:37 +0000] "GET /comm/returns/configureproduct/?options=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" ""

What does the "?" at the end of a module name mean?

For instance with "Amasty_Helpdesk?"

M2 vulnerabilities list is empty.

Now that we have the M2 list, we need to populate it. What belongs?

Pixlogix_Flexibleforms

FYI we found malicious PHP code in the media/flexibleforms/files/ on two separate installs, one running 2.0.1 (M2) and one running 0.5.0. Should look into the vuln and affected versions (cannot tell if 2.0.1 was compromised or an older version).

Edit: we contacted the vendor last month but they did not reply

Add Stripe module to M1

Todo, see #75

LS Retail Magento 2 `lsretailomni/lsmag-two` insecure API endpoints

https://github.com/lsretailomni/lsmag-two/blob/e5c1baebe2b1305ffac4926b54475dc10e2c30a5/src/Webhooks/etc/webapi.xml#L5-L22

Thanks to anonymous resource and lack of any server-side validation, any Visitor can override Order & Shipment status causing significant loss (e.g. flagging order as paid).

Issue is still not resolved in 2.3.0

Should add "AvisVerifies"

https://www.intrinsec.com/magecart-unveiled-focus-on-an-ecommerce-targeted-threat/

Anyone got the right codename?

LS Retail Magento 2 `lsretailomni/lsmag-two` uncontrolled filesystem access

Long-term issue in LS Retail extension:

https://github.com/lsretailomni/lsmag-two/blob/cb6e8013c1acf8e88d25c6659c7a4570f04c2017/src/Replication/Controller/Adminhtml/Logs/Report.php#L96-L112

Fixed in the 2.3.0 version (lsretailomni/lsmag-two@02f373a) but all the versions below are vulnerable. Any Administrator can access not only /etc/passwd, but also app/etc/env.php or even remove it!

Exploit

As a result, with a modified URL, you can display env.php or Server’s /etc/passwd (?log_filename=../../app/etc/env.php) and remove its contents (?log_filename=../../app/etc/env.php&submission=Clear).

LS Retail Magento 2 `lsretailomni/lsmag-two` - no rate limiting

No request quantity validation for Customer-related operations (requests) Magento limits the number of “Password Reset” requests. The mechanism was not introduced in the LS_Customer module, which overrides the Password Reset process entirely.

https://github.com/lsretailomni/lsmag-two/blob/master/src/Customer/Controller/Account/ForgotPasswordPost.php

Solution for LS

\Magento\Security\Model\PasswordResetRequestEvent is implemented and implement it in LS module accordingly.

Need PoC for Sendinblue Magento1 vulnerability

Observed attack placing backdoor via /sendinblue/ajax/ajaxupdate/. Version of plugin: 1.1.9
No direct RCE (eval/unserialize) was found in plugin's code. Perhaps the plugin acts as gateway to a M1 vuln?

{"time":"2022-07-18T13:29:40+00:00", "remote_addr":"217.170.207.111", "remote_user":"", "host":"REDACTED", "request":"POST /sendinblue/ajax/ajaxupdate/ HTTP/1.1", "status":"200", "body_bytes_sent":"31", "referer":"", "user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", "request_time":"0.463", "handler":"phpfpm", "country":"NO", "port":"443", "ssl_cipher":"TLS_AES_256_GCM_SHA384", "ssl_protocol":"TLSv1.3"}

{"time":"2022-07-18T13:29:40+00:00", "remote_addr":"217.170.207.111", "remote_user":"", "host":"REDACTED", "request":"GET /api_1.php HTTP/1.1", "status":"200", "body_bytes_sent":"37", "referer":"", "user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", "request_time":"0.002", "handler":"phpfpm", "country":"NO", "port":"443", "ssl_cipher":"TLS_AES_256_GCM_SHA384", "ssl_protocol":"TLSv1.3"}

AW_Blog

@pocallaghan reported POI probes for the aw_blog/block/render URI.

There already is an AW_Blog entry for a SQLi vuln that was discovered some years ago.

Todo:

figure out whether a fixed version exists

Script for Magento 2 without Magerun

Currently you cannot analyze Magento 2 without Magerun. Creating script for this purpose might help in environments, where usage of Magerun is not possible.

I will be working on this.

"No magerun installed?" oneliner from README.php is not working in Bash

See: https://github.com/gwillem/magevulndb#no-magerun-installed

This does not work in Bash.
The PHP code is between "double quotes", so Bash will replace all $variables by the value of the variable in Bash, of by nothing if not defined.

Example:

/path/to/httpdocs$ php -r "require_once('app/Mage.php');Mage::app();$config=Mage::getConfig()->getNode()->modules;$found=array();$list=fopen('https://raw.githubusercontent.com/gwillem/magevulndb/master/magento1-vulnerable-extensions.csv','r');while($list&&list($name,$version)=list($row['module'],$row['fixed_in'],,$row['reference'],$row['update'])=fgetcsv($list)){if(isset($name,$version,$config->{$name},$config->{$name}->version)&&(empty($version)||version_compare($config->{$name}->version,$version,'<'))){$found[]=$row;}}if($found){echo 'Found possible vulnerable modules: '.print_r($found,1);}else{echo 'No known vulnerable modules detected.';}"
PHP Parse error:  syntax error, unexpected '=', expecting end of file in Command line code on line 1

Parse error: syntax error, unexpected '=', expecting end of file in Command line code on line 1

PHP complains here because $config is removed so the remaining statement is =Mage::getConfig()->getNode()->modules;

New, unidentified probes

Probably a load more vulnerable extensions, should figure out what they are. All requested by 185.254.120.74 (LT), 185.153.197.28 (RU), 185.176.27.162 (BG) and 84.54.36.12 (NL, Worldstream).

They hit 404 on this particular site, so cannot tell what they were looking for..

User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

/advancednewsletter/index/test
/advancedreviews/Product/post/
/ajaxreviews/index/getReviews/
/autocompleteplus/Products/checkinstall
/blog/2013/04/09/spring-2013-market-price-check-ipod-touch-4th-generation/
/brand/
/bulk/kit-iphone-6-small-parts
/careers.html
/clearance/clearance-tools/gtool/icorner/gtool-icorner-corner-tool-head-set-for-ipod-touch-5-gh1225-strong-font-color-ed1d24-new-font-strong
/clnews
/consultants/
/donate/donation
/econt/ajax/street
//.env
/freight/index/row
//helper/constants.js
/index.php/abandonedorder/index/key/
/index.php/adjcartalert/adminhtml_cartalert/index/key/
/index.php/admin_awautorelated/adminhtml_blocksgrid/
/index.php/admin_reviewcomment/adminhtml_reviewcomment/
/index.php/adminseoslider/adminhtml_seoslider/index/key/
/index.php/admin_shipment/adminhtml_shipmentbackend/index/
/index.php/advancednewsletter/adminhtml_automanagement/index/key/
/index.php/advancedreports/adminhtml_advancedreports/
/index.php/advancedreports_admin/standardsales/
/index.php/advancedreviews_admin/adminhtml_abuse/index/
/index.php/AdvancedStock_Misc/MassStockEditor/key/
/index.php/AdvancedStock/Products/Grid/
/index.php/affiliate/adminhtml_affiliatewithdrawnpending/
/index.php/auction/adminhtml_auction/index/
/index.php/awall_admin/additional/index/
/index.php/awcore/viewlog/index/
/index.php/bc_en/rss/order/new/
/index.php/blog/index/list/tag/
/index.php/brand/adminhtml_brand/index/
/index.php/ecc/admin/index/
/index.php/everypay/everypay/callback?orderNoField=asdas&nonce=*&order_reference=huyvam&hmac=2064bf1399b38edf62f71b671b3bf961b71c9a3a&api_username=
/index.php/ExtensionConflict/Admin/List/index/
/index.php/fancycheckout/Instantcheckout/showinstantcheckoutfirst?isAjax=1
/index.php/faq/adminhtml_faq/index/
/index.php/faq/adminhtml_faq_list/index/
/index.php/faq/index/result/?cat_id=2&keyword=1
/index.php/faqs/adminhtml_categories/index/key/
/index.php/forum/adminhtml_forumbackend/index/
/index.php/freetextsearch/search/result?keyword=1
/index.php/galleryvideo/index?gallery=1*
/index.php/giftlist/adminhtml_manageList/index/
/index.php/inquiry/adminhtml_inquiry/index/
/index.php/InventorySold/index/key/
/index.php/M2ePro/adminhtml_common_listing/index/
/index.php/M2ePro/adminhtml_ebay_listing/
/index.php/marketplace/adminhtml_seller/index/
/index.php/megamenu/adminhtml_menugroup/index/
/index.php/offinews/adminhtml_category/index/
/index.php/Organizer/Task/List/
/index.php/productattachments/adminhtml_productattachments/index/key/
/index.php/productquestions/adminhtml_answers/index/
/index.php/questionanswer/adminhtml_questionanswer/index/
/index.php/quickshop/adminhtml_quickshop/index/
/index.php/Scanner/index/index/
/index.php/Scanner_index/index/key/
/index.php/storelocator/adminhtml_storelocator/index/
/index.php/ticketsystem/adminhtml_ticketsystem/index/
/index.php/UrlRedirector/Admin/Grid/
/index.php/webforms/index/iframe/
/intl/authors
/js/advancednewsletter/advancednewsletter.js
/js/advancedreviews/ajax-reviews.js
/js/em_layerednavigation/slider.js
/js/magestore/auction.php
/komfortkasse/main?action=init&o=1&accesscode=1&store_id=1&test=2&accesscode_hash=c4ca4238a0b923820dcc509a6f75849b&testBase64Enc=Q2FuIHlvdSBoZWFyIG1lPw==
/mobileassistant/index/testModule
/order/trackorder
/outofstocknotification
/process/licenselookup.php
/productquestions/adminhtml_answers/index/
/psp-playstation-portable-battery-cover
/questionanswer/adminhtml_questionanswer/index/
/recommender/index/orderitem/
/securepay/sfdirectpost/start
/skin/frontend/base/default/advancedreviews/css/advancedreviews.css
/skin/frontend/base/default/Loginradius/Sociallogin/js/LoginRadiusSDK.js
/skin/frontend/default/default/sns/quickview/css/quickview.css
/skin/frontend/default/default/sns/quickview/js/quickview.js
/skin/frontend/enterprise/default/css/aw_zblocks.css
/storelocator/index/
/storelocator/index/loadstore/
/testimonials/index
/index.php/magenotification/adminhtml_feedback/index/
/index.php/affiliateplusadmin/adminhtml_banner/index/key/

Confirm Amasty M2 module tags

Following #41:

We need to confirm several module tags on the M2 list:

Amasty_Adminbookmarks
Amasty_GeoipRedirect
Amasty_Storeswitcher

Case sensitive, must be exactly correct.

Why is BL_CustomGrid not included in the list?

It is mentioned in https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/

Amasty_PAction Maybe CWE-89?

I'm honestly lost with this and because of that I'm requesting help. Please review this and tell your toughs. I'm kinda needing another eye pair to take a look. (I can share module code privately for inspection if requested.)

So, possible CWE-89 here.

This code looks quickly looked like there is a for sure injection. However, first parameter for sprintf and second are safe, due those are not user input. However, there is this third parameter is taken from the request.

// Amasty_Paction_Adminhtml_AmpactionController
public function doAction()
    {
        $productIds  = $this->getRequest()->getParam('product');  // Please notice this.
        $val         = $this->getRequest()->getParam('ampaction_value');
        $dateFrom    = $this->getRequest()->getParam('ampaction_from');
        $dateTo      = $this->getRequest()->getParam('ampaction_to');
        $commandType = trim($this->getRequest()->getParam('command'));
        $storeId     = (int)$this->getRequest()->getParam('store', 0);
        $enhanced    = $this->getRequest()->getParam('enhanced', 0);
        
        if (Mage::getSingleton('admin/session')->isAllowed('catalog/products/mass_product_actions/' . $commandType)) {
            if (is_array($val)) {
                $val = implode(',', $val);
            } elseif ('appendtext' !== $commandType) {
                $val = trim($val);
            }

            try {
                $command = Amasty_Paction_Model_Command_Abstract::factory($commandType, $dateFrom, $dateTo);
                $success = $command->execute($productIds, $storeId, $val); // Vulnerable code is called here!
                
              
                if ($success) {...}
                foreach ($command->getErrors() as $err) {...}            
            } catch (Exception $e) {
                ...
            }
        } else {
            $this->_getSession()->addError($this->__('Access denied.'));
        }

        if ($enhanced) {...} else {...}

        return $this;        
    }

In above code, please notice lines 4 and 21. On line 4 we fetch product ids as array of ids. We pass this on line 21 to execute funtion.

So, what happens in the function is the problematic thing. As said before first and second paramter is fine in sprintf function, but third one, well, we just implode this array to comma separated list without escaping or binding params! Let's see whole problematic script.

// Amasty_Paction_Model_Command_Replacetext
// Starting from line 82.
if ($backendType == 'static') {
    $set = '';
    foreach ($attrIds as $attrId => $attrName) {
        $set .= sprintf(
            '`%s` = REPLACE(`%s`, %s, %s)', $attrName,
            $attrName, $db->quote($searchReplace['search']),
            $db->quote($searchReplace['replace'])
        );
    }
    $sql = sprintf('UPDATE %scatalog_product_entity
                  SET %s
                  WHERE entity_id IN(%s)
                    AND entity_type_id = %d',
        Mage::getConfig()->getTablePrefix(), $set, implode(',', $ids), // <==
        $entityTypeId
    );
} else {
    $sql = sprintf('UPDATE %scatalog_product_entity_%s
                  SET `%s` = REPLACE(`%s`, %s, %s)
                  WHERE attribute_id IN (%s)
                    AND entity_id IN(%s)
                    AND entity_type_id = %d
                    AND store_id=%d',
        Mage::getConfig()->getTablePrefix(), $backendType, self::REPLACE_FIELD, self::REPLACE_FIELD,
        $db->quote($searchReplace['search']), $db->quote($searchReplace['replace']), // <==
        implode(',', array_keys($attrIds)), implode(',', $ids), // <==
        $entityTypeId, $storeId
    );
}
$db->query($sql);

However. here I see %d is used instead of %s, which means that is not possible to inject. In other hand I saw following on php official site here.

So is my theory about having injection crushed and is quote safe to use, or should there be used binding. And yes, I would say there should be used binding params, but should the quote be classified as security flaw?

n98-magerun module?

@rhoerr used this for his JSON files, we'll only need to parse CSV files and turn it into a magerun plugin.

<?php
require_once("app/Mage.php");
Mage::app();

$c = Mage::getConfig()->getNode()->modules;
$v = json_decode(file_get_contents("https://something.example.com/magento-vuln-extensions/m1-list.json"),1);
$f = array();
foreach ($v as $m) {
	if (isset($c->{$m["module"]}, $c->{$m["module"]}->version)) {
		$i = $c->{$m["module"]}->version;
		if ((empty($m["fixed_in"]) || version_compare($i, $m["fixed_in"], "<"))
			&& (empty($m["version_from"]) || version_compare($i, $m["version_from"], ">="))) {
			$f[] = $m;
		}
	}
}

if ($f) {
	echo "Found potentially vulnerable modules: ".print_r($f,1);
} else {
	echo "No known vulnerable modules detected.\n";
}

HE_TwoFactorAuth

@rhoerr you listed 1.0.5 as fixed version, but I could not find a tag or release in https://github.com/nexcess/magento-sentry-two-factor-authentication
Got a better source?

WF_CustomerBalance admin Javascript could be hijacked

@damienwebdev discovered that the Magento1 module WF_CustomerBalance serves admin pages with embedded Javascript from https://www.magecredit.com/ext/magento/magecredit.js. However, the vendor (Magecredit) let magecredit.com expire, and an unknown third party has registered the domain name on Oct 10th, 2021.

Domain Name: MageCredit.com
Creation Date: 2021-11-10T19:28:52.000Z
Registrant Name: chao hai fu
Registrant Organization: fu chao hai
Registrant Street: yan he, hei shui xiang, jian quan cun, fu jia
Registrant City: tong ren shi
Registrant State/Province: gui zhou
Registrant Postal Code: 565300
Registrant Country: CN
Registrant Phone: +86.13251797572
Registrant Email: [email protected]

The URL currently does not serve any code, however this may change in the future, or the site may serve code conditionally (based on referring site or requesting client). Because the Javascript is embedded in the Magento backend, the current owner of the magecredit.com domain effectively has full admin access to all Magento stores running this module.

We recommend to uninstall this module. Alternatively, one can delete all references to the affected domain name, such as this:

// app/code/community/Wf/CustomerBalance/Helper/Data.php
public function getMUrl()
{
        return "https://www.magecredit.com/ext/magento/magecredit.js";
}

Question: How to verify "Potential vulnerable module" is vulnerable?

I got

Potential vulnerable module found: Glace_Freegift
Matched by route: This may be a false positive where your installed module
shares it with a vulnerable module, but it should be investigated further.
Please contribute info about the module to MageVulnDb if it is relevant.
Route:      freegift
Looks Like: /freegift/cart/gurlgift/
Module:     Glace_Freegift
Installed:  0.2.1
Credit:     https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/

But how could I verify that this module is exactly the vulnerable module you expect to ?

Vulnerable module Excellence_Ajax

When I was using the (amazing!) security module by @gwillem I found a vulnerable module that isn't on the list yet, I don't know if I am supposed to report it here, but while I am at it I might aswell ;P.
Here is the vulnerable module:

After some digging I found the module.

Where in that article it links to this GitHub repo, so I thought, maybe there is an updated version, but there is not yet, or atleast I can't find it.

I'll do some more digging to see if I can find a fix.