MAGMI Mia! Here we go again
Magmi is a popular Magento plugin which is designed to perform bulk imports and updates to catalogue items in a database.
According to reports, Tenable have reported two vulnerabilities within the Magmi plugin to its developers in June which was acknowledged by them in July and a patch was later released in August. However, the update only rectified one of the two vulnerabilities and the other is still present today.
This flaw is now identified as CVE-2020-5777 and attackers can exploit it by forcing a denial-of-service (DoS) condition to the Magento database connection.
The vulnerability allows an attacker to use the default Magmi credentials for the database in the event a database connection fails. A database connection failure can be triggered by sending a targeted number of requests simultaneously to the Magento website which generates a “Too many connections” error and the default credentials for the database are simultaneously accepted.
The recommendations to mitigate this vulnerability are as follows:
- Only allow specific IP addresses to access the Magmi interface
- Use a custom unpredictable folder name instead of the default location so attackers can not easily locate the web interface
- Stop using the plugin and find a suitable supported alternative
The plugin's download count over the past six months indicates hundreds of installations of the plugin, even though that its official compatibility for the software is up to Magento 1.9.x, for which Adobe ended its support earlier this year. A plugin with a vulnerability, on an unsupported platform; my my, how can I resist you?
" Researchers discovered multiple vulnerabilities in the MAGMI Magento plugin that could lead to remote code execution on a vulnerable Magento site. "
