This post was originally published here: post

 

The vulnerability CVE-2016-4010 allows an unauthenticated attacker to execute PHP code at the vulnerable Magento server and fully compromise the shop. The Israeli security expert Nethanel Rubin (@na7irub) has reported a critical flaw (CVE-2016-4010) in the eBay Magento e-commerce platform that could be exploited by hackers to completely compromise shops online. The vulnerability rated 9.8/10 has been fixed with the Magento version 2.0.6 published yesterday. The fix prevents unauthenticated user or user with minimal permissions to access the platform installation code and execute arbitrary PHP code on the server. “Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)” states the company security advisory. The independent researcher Nethanel Rubin confirmed that attackers can execute arbitrary PHP code in unpatched systems exploiting several smaller flaws. “The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.” reads a blog post published by Rubin . “This vulnerability works on both the Community Edition and Enterprise Edition of the system.” In his post, Rubin has detailed the attack chain explaining how the attacker can exploit the flaw in the Magento platform. The attack chain relies on REST or SOAP RPCs that are enable by default in the majority of installations. “The “API” directory is made out of different…