Inactive Instrument

Fortinet Nasdaq

US34959E1091

Fortinet : Magento Commerce Widget Form (Core) XSS Vulnerability

January 07, 2019 at 05:14 pm

Threat Analysis Report from FortiGuard Labs

While e-commerce gives us a more convenient life, it is currently facing a growing number of threats all across the internet. According to the Alexa top 1M e-commerce platforms for 2018, the e-commerce platform Magento Commerce currently enjoys more than a 14% market share, making it the second largest e-commerce platform in the world. Magento's customers include some highly recognizable companies, including HP, Coca-Cola, and Canon.

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in Magento. This XSS vulnerability is caused by Magento failing to sanitize user-supplied data before inserting it into a dynamically generated widget form. While this XSS vulnerability only exists on the Magento Administrator's page, it could allow a remote attacker to execute arbitrary code on a victim's browser and then gain control of Magento high-privilege accounts to access sensitive data or take control of the vulnerable web sites.

This XSS vulnerability affects Magento Commerce 2.1 prior to 2.1.16, Magento Commerce 2.2 prior to 2.2.7.

Analysis

When editing a Magento site page, there are two modes: WYSIWYG Mode and HTML Mode. In the WYSIWYG Mode, one of the buttons is called 'Insert Widget…'(see Figure 1). Figure 2 shows that we can directly call the Insert Widget function's form by accessing the link http://IP/magento/index.php/admin/admin/widget/index/ .

Figure 1. The Insert Widget function in WYSIWYG Mode

Figure 2. Directly accessing the Insert Widget function form

The form in Figure 2 is generated by a php function in Widget.php, which is located at /vendor/magento/module-widget/Block/Adminhtml/Widget.php (GitHub link). It processes the user-supplied URL, filters the value of the parameter 'widget_target_id', and inserts it into a script tag, as shown in Figure 3. For example, when we access the link http://IP/magento/index.php/admin/admin/widget/index/widget_target_id/yzy9952, the value of widget_target_id will be inserted into the script tag, as shown in Figure 4.

Figure 3. Widget.php generating the form script tag

Figure 4. The form script tag generated by Widget.php

This function only sanitizes the user-supplied data by closing it with a symbol, such as ''', '}' and ';'. However, this process can be easily bypassed by adding another set of symbols to close the current function, such as ')});', and commenting out all the following codes by adding a HTML comment tag '

Attachments

Original document
Permalink

Disclaimer

Fortinet Inc. published this content on 07 January 2019 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 07 January 2019 17:13:04 UTC

Latest news about Fortinet

Morgan Stanley Adjusts Fortinet's Price Target to $69 From $73	07-17	MT
Google to Become Cloud Security Leader With Potential Wiz Deal, Oppenheimer Says	07-15	MT
Barclays Adjusts Price Target on Fortinet to $70 From $75, Maintains Equalweight Rating	07-11	MT
Capital One Securities Adjusts Fortinet's Price Target to $63 From $65, Keeps Equalweight Rating	07-11	MT
KDDI Selects Fortinet for New Global Managed SASE Service	07-10	CI
Fortinet, Inc.(NasdaqGS:FTNT) added to Russell Top 200 Value Index	06-30	CI
Fortinet, Inc.(NasdaqGS:FTNT) added to Russell 3000 Value Index	06-30	CI
Fortinet, Inc.(NasdaqGS:FTNT) added to Russell 1000 Value Index	06-30	CI
Fortinet, Inc.(NasdaqGS:FTNT) added to Russell 3000E Value Index	06-30	CI
Cloud Computing Adoption Spurs Cybersecurity Risks, Driving Growth for Cloud-Native Application Protection Platform Market, BofA Says	06-26	MT
Fortinet Insider Sold Shares Worth $2,903,577, According to a Recent SEC Filing	06-13	MT
Fortinet Agrees to Acquire Cloud Security Firm Lacework	06-10	MT
Fortinet, Inc. signed a definitive agreement to acquire Lacework, Inc.	06-09	CI
Fortinet Insider Sold Shares Worth $3,428,621, According to a Recent SEC Filing	06-06	MT
Transcript : Fortinet, Inc. Presents at BofA Securities 2024 Global Technology Conference, Jun-05-2024 10:40 AM	06-05
Nvidia Isn't the Only Way to Play AI	05-31	MT
Nvidia Isn't the Only Way to Play AI	05-31	MT
Fortinet Picked by FC Barcelona as Cybersecurity Partner for Future Camp Nou	05-23	MT
FC Barcelona Selects Fortinet as Its Official Cybersecurity Partner for the Future Spotify Camp Nou	05-23	CI
Transcript : Fortinet, Inc. Presents at The 52nd J.P. Morgan Annual Global Technology, Media & Communications Conference, May-21-2024 10:50 AM	05-21
The latest transactions by star managers	05-21
Fortinet Insider Sold Shares Worth $2,932,562, According to a Recent SEC Filing	05-16	MT
Daiwa Securities Adjusts Fortinet Price Target to $67 From $75	05-07	MT
Tranche Update on Fortinet, Inc.'s Equity Buyback Plan announced on January 28, 2016.	05-06	CI
Susquehanna Adjusts Price Target on Fortinet to $65 From $80	05-06	MT

Chart Fortinet

Duration

Period

More charts

Company Profile

Fortinet, Inc. specializes in the creation, development and marketing of integrated cybersecurity software and equipment for the protection of networks and information systems infrastructures as well as for the protection of company and government data. Net sales break down by revenue source into sales of services (59.7%) and products (40.3%). Net sales are distributed geographically as follows: the United States (30%), Americas (10.4%), Europe/Middle East/Africa (38.3%) and Asia/Pacific (21.3%).

Sector

Software

Calendar

06/08/2024 - Q2 2024 Earnings Release

Related indices

S&P 500

More about the company

Sector Security Software

	1st Jan change	Capi.
CHECK POINT SOFTWARE TECHNOLOGIES LTD.	+12.30%	19.37B
GEN DIGITAL INC.	+12.97%	16.14B
CYBERARK SOFTWARE LTD.	+22.18%	11.55B
DARKTRACE PLC	+58.75%	4.83B
SANGFOR TECHNOLOGIES INC.	-32.60%	2.8B
BLACKBERRY LIMITED	-27.23%	1.48B
HANGZHOU DPTECH TECHNOLOGIES CO.,LTD.	-24.97%	966M
RADWARE LTD.	+8.63%	757M
POSITIVE GROUP	-.--%	650M

Security Software