From 188dd968fde5b204fe759a81883f29f6d9c44d4a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 15 Jun 2022 11:29:33 +0530 Subject: [PATCH] Update and rename magento-downloader.yaml to magento-downloader-panel.yaml --- exposed-panels/magento-downloader-panel.yaml | 46 ++++++++++++++++++++ exposed-panels/magento-downloader.yaml | 33 -------------- 2 files changed, 46 insertions(+), 33 deletions(-) create mode 100644 exposed-panels/magento-downloader-panel.yaml delete mode 100644 exposed-panels/magento-downloader.yaml diff --git a/exposed-panels/magento-downloader-panel.yaml b/exposed-panels/magento-downloader-panel.yaml new file mode 100644 index 0000000000..bf052c464c --- /dev/null +++ b/exposed-panels/magento-downloader-panel.yaml @@ -0,0 +1,46 @@ +id: magento-downloader-panel + +info: + name: Magento Downloader Exposed + author: 5up3r541y4n + severity: info + description: | + Magento Connect Manager available via /downloader/ location is used for installation of Magento extensions and Magento upgrades and requires Magento admin rights for the action. It uses the same authorization methods as for Backend. Therefore if bot will find out a matching pair of login/password, whole Magento installation will be compromised. Attacker will be able to discover backend URL for login (even if it is customized as described in Securing Magento /admin/), install a Filesystem extension to obtain full access to all files and finally database. + reference: + - https://magentary.com/kb/restrict-access-to-magento-downloader/ + - https://www.mageplaza.com/kb/how-to-stop-brute-force-attacks-magento.html#solution-3 + metadata: + verified: true + shodan-query: http.component:"Magento" + tags: magento,exposure + +requests: + - method: GET + path: + - '{{BaseURL}}/downloader/' + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Magento Downloader" + - "Log In" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '\(Magento Connect Manager ver\. ([0-9.]+)' diff --git a/exposed-panels/magento-downloader.yaml b/exposed-panels/magento-downloader.yaml deleted file mode 100644 index 1d93abfef6..0000000000 --- a/exposed-panels/magento-downloader.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: magento-downloader - -info: - name: Magento Downloader - author: 5up3r541y4n - severity: medium - description: Magento Connect Manager available via /downloader/ location is used for installation of Magento extensions and Magento upgrades and requires Magento admin rights for the action. It uses the same authorization methods as for Backend. Therefore if bot will find out a matching pair of login/password, whole Magento installation will be compromised. Attacker will be able to discover backend URL for login (even if it is customized as described in Securing Magento /admin/), install a Filesystem extension to obtain full access to all files and finally database. - reference: - - https://magentary.com/kb/restrict-access-to-magento-downloader/ - - https://www.mageplaza.com/kb/how-to-stop-brute-force-attacks-magento.html#solution-3 - tags: magento - -requests: - - method: GET - path: - - '{{BaseURL}}/downloader/' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - "Magento Downloader" - - "Log In" - part: body - - - type: word - words: - - "text/html" - part: header \ No newline at end of file