Full Report
A newly disclosed vulnerability dubbed 'PolyShell' affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover. [...]
Analysis Summary
# Vulnerability: PolyShell (Unauthenticated RCE & Account Takeover)
## CVE Details
- **CVE ID:** Not yet assigned (Pending Adobe production release)
- **CVSS Score:** 9.8 (Critical - Estimated)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type) / CWE-79 (Stored Cross-Site Scripting)
## Affected Systems
- **Products:** Adobe Commerce and Magento Open Source
- **Versions:** All stable Version 2.x installations (including current 2.4.x production releases).
- **Configurations:** Systems where the web server (Nginx/Apache) allows the execution of scripts or direct access to files within the `pub/media/` directory tree.
## Vulnerability Description
The "PolyShell" flaw originates from the Magento REST API's handling of custom product options. When a cart item includes a product option of the type "file," the API processes an embedded `file_info` object. This object contains base64-encoded data, a MIME type, and a filename, which the server then writes to the `pub/media/custom_options/quote/` directory.
The vulnerability is exploited using "Polyglot" files—files that validly masquerade as images while containing malicious script code. If the web server is misconfigured to execute scripts in the media directory, it leads to **Remote Code Execution (RCE)**. If script execution is blocked but the file is accessible, it leads to **Stored XSS**, allowing for administrative account takeover.
## Exploitation
- **Status:** PoC method is circulating; not yet observed in active wild exploitation, though automated attacks are anticipated.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full database access and customer data theft possible via RCE)
- **Integrity:** High (Account takeover and site modification)
- **Availability:** High (Potential for site deletion or ransomware encryption)
## Remediation
### Patches
- **Adobe Commerce / Magento 2.4.9-alpha2:** Fix is currently included in this pre-release version.
- **Production Versions:** No official production-ready patches are available as of the current disclosure.
### Workarounds
- **Access Control:** Restrict all public access to the `pub/media/custom_options/` directory via web server configuration.
- **Server Hardening:** Implementing Adobe’s recommended "sample web server configuration" which limits file execution in media directories.
## Detection
- **Indicators of Compromise:** Presence of unexpected files (especially those with double extensions or polyglot signatures) in `pub/media/custom_options/quote/`.
- **Detection Methods and Tools:**
- Verify Nginx/Apache rules to ensure they actively prevent access/execution in the upload path.
- Perform file integrity monitoring on the `pub/` directory.
- Use security scanners to identify uploaded shells, backdoors, or malicious scripts.
## References
- **Vendor Advisory:** Adobe (Pending production release)
- **Sansec Research:** hxxps[://]sansec[.]io/research/magento-polyshell
- **BleepingComputer Report:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/