An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.
The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento’s SQL database. Such a flaw can allow access to other files or directories in a file system.
“Successful exploitation results in access to Magento site credentials and the encryption key for the database,” wrote Assi Barak, lead security researcher with Trustwave’s SpiderLabs.
Barak wrote that Trustwave has notified Magmi’s developer and Magento, which has contacted the operators of 1,700 websites that appear be vulnerable.
Magmi can be downloaded from GitHub or SourceForge, but only the version on SourceForge is vulnerable, Barak wrote.
The SourceForge version of Magmi, 0.7.21, appears to have been last updated on Dec. 2, 2014, while the GitHub version has been modified over the last month and is not vulnerable.
“While the two repositories are said to remain in sync, that doesn’t appear to be the case,” Barak wrote.
Trustwave picked up on the problem after seeing HTTP requests that looked like an exploit attempt. The structure of the requests — which included “../..” — showed “an attempt to access the Linux password file by backtracking the path.”
Trustwave’s finding suggests “that bad actors are aware of the vulnerability and how to exploit it,” Barak wrote.
The vulnerable SourceForge version was downloaded some 2,800 times in September, Barak wrote. Magmi’s SourceForge page on Tuesday showed it had been downloaded more than 500 times this week.