CVE-2015-1398
published 2015-04-29CVE-2015-1398: Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to…
PriorityP275medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
14.40%
96.2th percentile
Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | magento | — | — |
| magento | magento | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal / admin controller hijacking by inspecting PATH_INFO in requests to index.php for dot-dot sequences ('..') or patterns matching 'Adminhtml_' class name segments in non-admin URL paths. ↗
- →Inspect the ___directive parameter in requests to the Cms_Wysiwyg controller (Adminhtml module) for suspicious block values, particularly PHP wrapper strings such as 'phar://' used as ScriptPath values in Magento template reflection syntax. ↗
- →For CVE-2015-1397 (chained SQLi): filter values are base64-encoded query strings; WAF rules must base64-decode the filter parameter before inspecting for SQL injection payloads, as raw inspection will miss encoded payloads. ↗
- ·Vector 2 (___directive / blockDirective) may not cross privilege boundaries since administrators may already have code execution and file upload privileges; prioritize detection of vector 1 (PATH_INFO traversal) for unauthenticated/low-privilege scenarios. ↗
- ·Standard WAF rules inspecting plain HTTP parameters will not detect the authentication bypass or SQL injection components of this exploit chain without Magento-specific inspection logic; generic signatures are insufficient. ↗
- ·The full unauthenticated RCE requires chaining three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399); CVE-2015-1398 alone provides authentication bypass, not direct code execution. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-424c-xcc5-xgcj: Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1
ghsa_unreviewed·2022-05-17
CVE-2015-1398 [MEDIUM] CWE-22 GHSA-424c-xcc5-xgcj: Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1
Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.
VulnCheck
magento magento Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 6.5
CVE-2015-1398 [MEDIUM] magento magento Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
magento magento Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.
Affected: magento magento
Required Action: Apply remediations or mitigations per vendor instructions or di
No detection rules found.
No public exploits indexed.
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194
2015-04-29
Published
Exploited in the wild