Adobe Commerce, a popular e-commerce platform, has been found to have a critical vulnerability - CVE-2024-39397 - affecting versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. This vulnerability is an Unrestricted Upload of File with Dangerous Type which could potentially allow an attacker to execute arbitrary code on the server.

Exploitation of this issue does not require user interaction, but the attack complexity is high and the scope is changed. This means that although the vulnerability can be exploited without user involvement, it may be more difficult for an attacker to successfully exploit it in some cases.

A successful exploit of this vulnerability could potentially have severe consequences, allowing an attacker to compromise server-side components, disrupt site functionality, and potentially gain unauthorized access to protected data.

Original References

- Adobe Security Bulletin APSB21-57
- NIST National Vulnerability Database
- MITRE CVE Entry

Technical Details

The vulnerability lies in the way Adobe Commerce handles the upload of files. Specifically, it does not properly validate the type of file being uploaded, which makes it possible for an attacker to upload a malicious file containing executable code. Once the file is uploaded, it can be triggered to execute on the server, potentially leading to arbitrary code execution.

Here is a code snippet that demonstrates the issue

# Vulnerable code snippet (upload.php)
$allowed_ext = array('png', 'jpg', 'jpeg', 'gif', 'pdf'); // Allowed file extensions
$upload_ext = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION); // Get uploaded file's extension

if (in_array($upload_ext, $allowed_ext)) { // Check if the uploaded file's extension is allowed
    move_uploaded_file($_FILES['file']['tmp_name'], $target_dir . $_FILES['file']['name']);
} else {
    echo 'Invalid file type.'; // This code path should be improved to prevent the exploitation
}

In the above example, an attacker could craft a malicious file with an executable extension (e.g., .php) but use a double extension technique to bypass the allowed file extension check (e.g., .php.png). The server would accept the file as a valid image file without realizing it's actually a PHP file containing malicious code.

Exploit Details

By exploiting this vulnerability, an attacker can gain arbitrary code execution on the server, which could have a range of consequences depending on the server's configuration and the privileges granted to the user executing the code. In the worst-case scenario, an attacker might be able to gain complete control of the server, modify or delete files, access sensitive data, or even spread across other systems on the server's network.

The potential methods an attacker can use includes, but are not limited to, social engineering, phishing, or other means of inducing a user to upload a malicious file to the affected server.

Mitigation and Patching

To address this critical vulnerability, Adobe has released a security patch. It is highly recommended that users of the affected versions of Adobe Commerce update to the latest version or apply the security patch provided by Adobe immediately.

To download the latest version or access the security patch, please visit the Adobe Security Bulletin APSB21-57.

In addition to applying the patch, it is essential to follow secure coding practices and conduct thorough security reviews regularly. Some suggestions to prevent unrestricted file uploads include:

Implement other security measures like file size limits and user authentication.

Stay vigilant and ensure your Adobe Commerce installation remains secure by timely applying all patches and security updates.

Timeline

Published on: 08/14/2024 12:15:24 UTC
Last modified on: 08/14/2024 14:46:52 UTC