Magento 2 Security Alert: Unrestricted File Uploads via Customer Address Attributes
Understanding a Critical Magento 2 File Upload Vulnerability
The Magento 2 ecosystem constantly evolves, and with it, the vigilance required to maintain robust security. A recent GitHub issue, #40795, brought to light a significant vulnerability concerning file uploads via customer address attributes. This issue, initially reported as a pull request, highlighted a critical oversight in the platform's input validation, posing potential risks ranging from arbitrary file uploads to more severe remote code execution (RCE).
At its core, the vulnerability stemmed from the Customer/Controller/Address/File/Upload.php endpoint. This controller, responsible for handling file uploads related to customer address attributes, failed to adequately validate the frontend_input type of the requested attribute. This meant that attributes not intended for file uploads—such as text or select types—could be manipulated to accept files.
The Exploit and Its Implications
Without proper validation, an attacker could supply any custom address attribute code (e.g., a text type attribute) as the upload target. Since non-file attributes lack specific file_extensions validation rules, the system's uploader would permit all file types. This included potentially dangerous executable files like .php scripts, which could then be saved to the pub/media/customer_address/tmp/ directory.
While exploiting this vulnerability required an authenticated customer session, the fact that customer registration is typically open on Magento storefronts rendered the attack surface effectively unauthenticated. Even if direct PHP execution in the media directory were blocked by server configurations (a common defense practice), the vulnerability still presented serious concerns:
- Arbitrary File Uploads: Allowing any file type to be uploaded to non-file attributes.
- Denial of Service (DoS): An attacker could continuously upload junk files, potentially exhausting disk space.
- JavaScript Injection: Uploading
.jsfiles could lead to client-side attacks. - Undermining Data Integrity: Storing irrelevant files against attribute types not designed for them.
The Community's Role in Reproduction and Confirmation
The discussion in the GitHub issue underscored the importance of community collaboration in identifying and confirming vulnerabilities. Initial attempts by the Magento engineering team (engcom-Hotel) to reproduce the issue encountered difficulties, primarily due to complexities with form_key validation and incorrect endpoint usage. However, thanks to detailed guidance from contributors like rgarciar-hiberuscom, who provided precise instructions on setting form_key as both a cookie and a form value, the issue was successfully reproduced.
rgarciar-hiberuscom further elaborated on the root cause, explaining that the validation logic for non-file attributes like 'select' (e.g., \Magento\Customer\Model\Metadata\Form\Select::validateValue) only checked for 'is_required' and 'has_value', completely bypassing any file-specific checks. This critical insight highlighted why the problematic code block was being executed for non-file attributes:
$formElement = $this->elementFactory->create(
$this->attributeMetadata,
null,
$this->entityTypeCode
);
$errors = $formElement->validateValue($this->getData());
The Solution: Robust Input Validation
The proposed fix, integrated into the platform, addresses this vulnerability directly. It introduces a crucial check immediately after fetching the attribute metadata. This check verifies that the frontend_input type is explicitly either file or image. If the attribute type does not match these allowed values, a LocalizedException is thrown, preventing the upload and returning an error message: “Attribute "[attribute_code]" does not support file uploads.” This ensures that only attributes explicitly designed for file uploads can be used for that purpose, significantly enhancing the security posture of Magento 2 installations.
For Magento merchants and developers, this issue serves as a vital reminder of the continuous need for security updates and rigorous input validation in custom development. Ensuring your Magento 2 instance is up-to-date with the latest patches is paramount to safeguard against such vulnerabilities.