CVE-2015-1399
published 2015-04-29CVE-2015-1399: PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and…
PriorityP274medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.07%
95.0th percentile
PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary PHP code via a URL in unspecified vectors involving the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | magento | — | — |
| magento | magento | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2015-1397 SQL injection by inspecting the filter parameter (e.g., 'filter' GET/POST param) for base64-encoded payloads; decode base64 content and apply SQL injection detection rules to the decoded query-string values. ↗
- →WAF rules must search for PHP wrapper payloads (phar://, php://, etc.) anywhere inside HTTP parameter values, not only at the beginning, due to the Magento template reflection structure wrapping the payload. ↗
- ·The three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399) are chained together to achieve unauthenticated RCE; blocking only CVE-2015-1399 (RFI) is insufficient since the SQL injection (CVE-2015-1397) alone was observed in the wild to add rogue admin accounts, compromising the database before the RFI stage is reached. ↗
- ·Generic WAF rules are insufficient for this vulnerability chain; all three CVEs require dedicated, Magento-specific inspection rules because the exploit payloads are encoded (base64 for SQLi) or embedded in application-specific template reflection syntax not present in any other web application. ↗
- ·Affected versions are Magento Community Edition 1.9.1.0 and Enterprise Edition 1.14.1.0; the RFI vector specifically involves the fetchView function in Mage_Core_Block_Template_Zend and the setScriptPath function. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rg38-827x-4q2g: PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1
ghsa_unreviewed·2022-05-17
CVE-2015-1399 [MEDIUM] CWE-94 GHSA-rg38-827x-4q2g: PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1
PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary PHP code via a URL in unspecified vectors involving the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.
VulnCheck
magento magento Improper Control of Generation of Code ('Code Injection')
vulncheck·2015·CVSS 6.5
CVE-2015-1399 [MEDIUM] magento magento Improper Control of Generation of Code ('Code Injection')
magento magento Improper Control of Generation of Code ('Code Injection')
PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary PHP code via a URL in unspecified vectors involving the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.
Affected: magento magento
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2016/01/security-adviso
No detection rules found.
No public exploits indexed.
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194
2015-04-29
Published
Exploited in the wild