id: magento-config-disclosure info: name: Magento - Config Disclosure author: ptonewreckin,danigoland,geeknik severity: high description: | Misconfigured instances of Magento may disclose usernames, passwords, and database configurations via /app/etc/local.xml reference: - https://github.com/ptonewreckin/cmsDetector/blob/master/signatures/magento.py metadata: verified: true shodan-query: http.component:"Magento" tags: magento,exposure,credential,config requests: - method: GET path: - "{{BaseURL}}/app/etc/local.xml" - "{{BaseURL}}/app/etc/local.xml.additional" - "{{BaseURL}}/store/app/etc/local.xml" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "* Magento" - "" condition: and - type: word part: header words: - "application/xml" - type: status status: - 200 extractors: - type: regex part: body group: 1 regex: - "<\\/host>" - "<\\/username>" - "<\\/password>" - "<\\/dbname>"