id: magento-downloader-panel

info:
  name: Magento Connect Manager Installer - Detect
  author: 5up3r541y4n
  severity: info
  description: |
    Magento Connect Manager installer was detected. The software, available via /downloader/ location, requires Magento admin rights and uses the same authorization methods as for backend. If an attacker locates a matching pair of login/password, the installation will be compromised. An attacker can then discover backend URL for login (even if it is customized as described in Securing Magento /admin/) and install a Filesystem extension to obtain full access to all files and finally the database.
  reference:
    - https://magentary.com/kb/restrict-access-to-magento-downloader/
    - https://www.mageplaza.com/kb/how-to-stop-brute-force-attacks-magento.html#solution-3
  classification:
    cpe: cpe:2.3:a:magento:magento:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: magento
    product: magento
    shodan-query:
      - http.component:"Magento"
      - cpe:"cpe:2.3:a:magento:magento"
      - http.component:"magento"
  tags: magento,exposure,panel

http:
  - method: GET
    path:
      - '{{BaseURL}}/downloader/'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Magento Downloader"
          - "Log In"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '\(Magento Connect Manager ver\. ([0-9.]+)'
# digest: 4a0a00473045022100b3a09d0a43a01318804662745ee2e04bcee0ee8de8a203b2c63f0fccd80e2f7f02204168520b28a940a3cdda767f3d42c434a27372545d6655a1fb35cf255fbe021e:922c64590222798bb761d5b6d8e72950