1. Introduction
Magento Mass Importer Credentials Disclosure is a vulnerability affecting installations using the Magento Mass Importer (Magmi) tool. This allows an attacker to gain access to database credentials used by Magmi, potentially leading to full compromise of the Magento instance. This affects websites that use Magmi for catalog management. A successful exploit could result in data breaches, service disruption and loss of integrity.
2. Technical Explanation
The vulnerability occurs because permissions are not properly enforced on the `magmi.ini` configuration file. An attacker who can access this file can read the database credentials stored within it. The primary exploit path involves direct access to the filesystem where Magmi is installed and reading the contents of the `magmi.ini` file.
- Root cause: Insufficient permissions on the `magmi.ini` configuration file allow unauthorized access to sensitive data.
- Exploit mechanism: An attacker accesses the `magmi.ini` file, retrieves database credentials, and uses them to connect directly to the Magento database.
- Scope: Affected systems are those running Magento with the Magmi Mass Importer installed.
3. Detection and Assessment
To confirm vulnerability, check file permissions on `magmi.ini`. A thorough method involves reviewing the web server configuration to identify access restrictions to the directory containing the configuration file.
- Quick checks: Use a command like
ls -l /path/to/magmi/magmi.ini(Linux) or check file properties in Windows Explorer to view permissions. - Scanning: No specific scanner signatures are known for this vulnerability, but general filesystem scanning tools can identify files with overly permissive access controls.
- Logs and evidence: Review web server logs for any attempts to access the `magmi.ini` file directly.
ls -l /path/to/magmi/magmi.ini4. Solution / Remediation Steps
The following steps fix the issue by securing the `magmi.ini` configuration file. Only apply these steps to systems using Magmi.
4.1 Preparation
- Ensure you have access to modify file permissions on the server. A roll back plan is to restore the original `magmi.ini` file from backup.
- Change windows should be planned during off-peak hours, and approved by a system administrator.
4.2 Implementation
- Step 1: Change the permissions of the `magmi.ini` file to restrict access to only the necessary user accounts (e.g., the web server user). On Linux/Unix systems, use the command
chmod 600 /path/to/magmi/magmi.ini. - Step 2: Verify that other users do not have read access to the file.
4.3 Config or Code Example
Before
-rw-r--r-- 1 user group size date magmi.iniAfter
-rw------- 1 user group size date magmi.ini4.4 Security Practices Relevant to This Vulnerability
- Practice 1: Least privilege – grant only the minimum necessary permissions to users and processes.
- Practice 2: Secure defaults – configure systems with secure settings by default, avoiding overly permissive configurations.
4.5 Automation (Optional)
No automation is provided as this requires specific server configuration details.
5. Verification / Validation
- Post-fix check: Run
ls -l /path/to/magmi/magmi.iniand verify permissions are set to 600 or more restrictive. - Re-test: Attempt to read the `magmi.ini` file with a user account that should not have access. The attempt should be denied.
- Smoke test: Verify Magmi can still import products without errors.
- Monitoring: Review system logs for any failed attempts to access the `magmi.ini` file.
ls -l /path/to/magmi/magmi.ini6. Preventive Measures and Monitoring
- Baselines: Update security baselines to include secure file permission settings for configuration files.
- Pipelines: Implement static code analysis or configuration scanning tools in CI/CD pipelines to identify overly permissive permissions.
- Asset and patch process: Review third-party tool configurations regularly as part of a vulnerability management program.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Incorrect file permissions could prevent Magmi from functioning correctly. Mitigation is to restore the original `magmi.ini` file from backup.
8. References and Resources
- Vendor advisory or bulletin: https://github.com/dweeves/magmi-git/
- NVD or CVE entry: No specific CVE is associated with this vulnerability, but it relates to general information disclosure risks.
- Product or platform documentation relevant to the fix: Refer to Magento’s official documentation for file permission best practices.