Magento2: Magento 2.1.6 and below: Cross Site Request Forgery Vulnerability - Advisory ID: DC-2017-04-003

Who f n care these days LOL I bet these sort of reports are ways to 'blackmail' Magento, or any online vendor for this matter. Pay attention here; only a competitor would freelance for "online police". They do this all day long mate. Sad sods isn't it

Facts are... some ppl I (we) know wouldn't necessarily need your little php Magento store running to gain access to your privileges. So please - save us from that PDF terror you posted.

Chill out bud! You have any problem with that then just pull the plug....

... thank you very much and have a great day

The OP and Co advertise hacks publicly and you thumb me down @hostep

Wicked. That Internet needs parenting as it appears, not php

I am not writing to receive insults. Nobody cares? I close. Hello

Hi @Dart18,
thank you for posting it also to the github issues, now that there is a public report.
Could you please put the Advisory ID into the title, too? (DC-2017-04-003)

As a first response I would like to clarify, that its not so easy to make use of it in masses.
It requires to know the secret admin url, someone who is actually logged in to this admin area, and also a webserver which is actually apache and is allowed to parse .htaccess files inside the media directory.

There are suggestions to activate "Add Secret Key to URL" to prevent this, and it should really help against external attackers. But even then it still could be used by lower privileged admin users, so it would still be a security risk.

a better temporary solution would be to configure apache to not allow to scan htaccess files in this directory. The real patch is probably more complex, as the source of the problem is the upload of arbitrary files from arbitrary sources, which could lead to other problems, too.

I posted it because doing the search "Magento 2.1.6" with Google I found this result in the first page.
It is not my intention in any way discredit Magento or its development team. I use and follow Magento for years, but I'm not a security expert, and I'm confident in the Magento team's ability to respond appropriately to the real threats to data security.

The answer of @Flyingmana is sufficient to reassure me and maybe other people on the low level of real risk of the notification that I reported.
Thank you.

@Dart18 with a vulnerability like this, there is not really such thing as "low level of real risk". You are either at risk, or you aren't.

The conditions that need to exist for there to be risk, as @Flyingmana stated, are:

• There are people, besides yourself, with access to the Magento admin panel
• Apache is configured to scan .htaccess files. This is likely _true_ as Magento configuration guides recommend adding AllowOverride All to your apache configuration

For organisations with several users with access to a Magento admin panel - including attackers who might have stolen such credentials - this is a significant vulnerability.

The long term fix I think should be to perform the same URL validation on the server side that is performed on the client side, and also to delete invalid files immediately rather than leaving them on the server.

But in the meantime, I agree that putting something like the following inside your apache site config is probably a reasonable temporary patch:

<Location /var/www/html/pub/media/>
 AllowOverride None
</Location>

@hyperreality
There are people, besides yourself, with access to the control panel, with bad intentions, and with the skills to putting them into practice.
In small companies for which I worked, I never met people with the necessary skills to take advantage of an exploit, to make code injection or something similar. But... you're right.

to get access to magento admin is pretty easy, if you look right now to your admin user table, you will see 10-30 accounts. some of them you even dont know...

dont forget that changes to apache/htaccess is only posible if you have access to, but huge % of magento users install magento on shared hosting, where you are not allowed to change anything...

I believe this are enough comments so everyone can estimate their risk from it.
So I would now like to ask to wait for Magento.

GitHub issue tracker is not the best place to report and discuss security issues.
Please use Security Center for information and Bugcrowd to report issues.
Thank you.