Skip to content
Nuclei Templates

Magento Cacheleak

ID: magento-cacheleak

Severity: high

Author: TechbrunchFR

Tags: magento

Description

Section titled “Description”

Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files. When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files.

YAML Source

Section titled “YAML Source”
id: magento-cacheleak


info:
  name: Magento Cacheleak
  author: TechbrunchFR
  severity: high
  description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files.  When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files.
  reference:
    - https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak
    - https://www.acunetix.com/vulnerabilities/web/magento-cacheleak/
    - https://royduineveld.nl/magento-cacheleak-exploit/
  classification:
    cpe: cpe:2.3:a:magento:magento:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: magento
    product: magento
    shodan-query: http.component:"Magento"
  tags: magento


http:
  - method: GET
    path:
      - '{{BaseURL}}/var/resource_config.json'


    # Based on royduineveld.nl blogpost, was not tested against a vulnerable Magento site
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200


      - type: word
        words:
          - "media_directory"
          - "allowed_resources"
        part: body


      - type: word
        words:
          - "application/json"
        part: header
# digest: 490a00463044022025fdaaaca305363ddc87a884b68aea82c313a5b8e641d263ab40d8d9bac00fdc02202ab72638a505acc4eaba5d1f72a4b16f4304dcd800ef774fac574c6d86433ca7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/magento/magento-cacheleak.yaml"

View on Github