sansecio / magevulndb

List of Magento extensions with known security issues.
https://sansec.io
202 stars 32 forks source link

New, unidentified probes #8

Open gwillem opened 5 years ago

gwillem commented 5 years ago

Probably a load more vulnerable extensions, should figure out what they are. All requested by 185.254.120.74 (LT), 185.153.197.28 (RU), 185.176.27.162 (BG) and 84.54.36.12 (NL, Worldstream).

They hit 404 on this particular site, so cannot tell what they were looking for..

User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

/advancednewsletter/index/test
/advancedreviews/Product/post/
/ajaxreviews/index/getReviews/
/autocompleteplus/Products/checkinstall
/blog/2013/04/09/spring-2013-market-price-check-ipod-touch-4th-generation/
/brand/
/bulk/kit-iphone-6-small-parts
/careers.html
/clearance/clearance-tools/gtool/icorner/gtool-icorner-corner-tool-head-set-for-ipod-touch-5-gh1225-strong-font-color-ed1d24-new-font-strong
/clnews
/consultants/
/donate/donation
/econt/ajax/street
//.env
/freight/index/row
//helper/constants.js
/index.php/abandonedorder/index/key/
/index.php/adjcartalert/adminhtml_cartalert/index/key/
/index.php/admin_awautorelated/adminhtml_blocksgrid/
/index.php/admin_reviewcomment/adminhtml_reviewcomment/
/index.php/adminseoslider/adminhtml_seoslider/index/key/
/index.php/admin_shipment/adminhtml_shipmentbackend/index/
/index.php/advancednewsletter/adminhtml_automanagement/index/key/
/index.php/advancedreports/adminhtml_advancedreports/
/index.php/advancedreports_admin/standardsales/
/index.php/advancedreviews_admin/adminhtml_abuse/index/
/index.php/AdvancedStock_Misc/MassStockEditor/key/
/index.php/AdvancedStock/Products/Grid/
/index.php/affiliate/adminhtml_affiliatewithdrawnpending/
/index.php/auction/adminhtml_auction/index/
/index.php/awall_admin/additional/index/
/index.php/awcore/viewlog/index/
/index.php/bc_en/rss/order/new/
/index.php/blog/index/list/tag/
/index.php/brand/adminhtml_brand/index/
/index.php/ecc/admin/index/
/index.php/everypay/everypay/callback?orderNoField=asdas&nonce=*&order_reference=huyvam&hmac=2064bf1399b38edf62f71b671b3bf961b71c9a3a&api_username=
/index.php/ExtensionConflict/Admin/List/index/
/index.php/fancycheckout/Instantcheckout/showinstantcheckoutfirst?isAjax=1
/index.php/faq/adminhtml_faq/index/
/index.php/faq/adminhtml_faq_list/index/
/index.php/faq/index/result/?cat_id=2&keyword=1
/index.php/faqs/adminhtml_categories/index/key/
/index.php/forum/adminhtml_forumbackend/index/
/index.php/freetextsearch/search/result?keyword=1
/index.php/galleryvideo/index?gallery=1*
/index.php/giftlist/adminhtml_manageList/index/
/index.php/inquiry/adminhtml_inquiry/index/
/index.php/InventorySold/index/key/
/index.php/M2ePro/adminhtml_common_listing/index/
/index.php/M2ePro/adminhtml_ebay_listing/
/index.php/marketplace/adminhtml_seller/index/
/index.php/megamenu/adminhtml_menugroup/index/
/index.php/offinews/adminhtml_category/index/
/index.php/Organizer/Task/List/
/index.php/productattachments/adminhtml_productattachments/index/key/
/index.php/productquestions/adminhtml_answers/index/
/index.php/questionanswer/adminhtml_questionanswer/index/
/index.php/quickshop/adminhtml_quickshop/index/
/index.php/Scanner/index/index/
/index.php/Scanner_index/index/key/
/index.php/storelocator/adminhtml_storelocator/index/
/index.php/ticketsystem/adminhtml_ticketsystem/index/
/index.php/UrlRedirector/Admin/Grid/
/index.php/webforms/index/iframe/
/intl/authors
/js/advancednewsletter/advancednewsletter.js
/js/advancedreviews/ajax-reviews.js
/js/em_layerednavigation/slider.js
/js/magestore/auction.php
/komfortkasse/main?action=init&o=1&accesscode=1&store_id=1&test=2&accesscode_hash=c4ca4238a0b923820dcc509a6f75849b&testBase64Enc=Q2FuIHlvdSBoZWFyIG1lPw==
/mobileassistant/index/testModule
/order/trackorder
/outofstocknotification
/process/licenselookup.php
/productquestions/adminhtml_answers/index/
/psp-playstation-portable-battery-cover
/questionanswer/adminhtml_questionanswer/index/
/recommender/index/orderitem/
/securepay/sfdirectpost/start
/skin/frontend/base/default/advancedreviews/css/advancedreviews.css
/skin/frontend/base/default/Loginradius/Sociallogin/js/LoginRadiusSDK.js
/skin/frontend/default/default/sns/quickview/css/quickview.css
/skin/frontend/default/default/sns/quickview/js/quickview.js
/skin/frontend/enterprise/default/css/aw_zblocks.css
/storelocator/index/
/storelocator/index/loadstore/
/testimonials/index
/index.php/magenotification/adminhtml_feedback/index/
/index.php/affiliateplusadmin/adminhtml_banner/index/key/
jeroenvermeulen commented 5 years ago

@Rolandwalraven Can you share the IP blacklist we use? Can you request to add these IPs? (sorry a bit offtopic)

gwillem commented 5 years ago

No worries, I am maintaining an internal blacklist too, but still undecided whether I should use single IPs, class C netblocks or AS numbers. For OVH, a single IP is probably the best, but for Worldstream, I don't trust the whole ASN.

jeroenvermeulen commented 5 years ago

The IP blacklist we use is dnsbl.dronebl.org, more info https://dronebl.org/ Did find no easy way to add those IPs to that blacklist.

gwillem commented 5 years ago

And more probes, all from 137.74.21.194 who started probing in May 2018 and continued to Dec 2018.

/advancedreports/chart/tunnel
/ajaxproducts/index/index
/campaigner/abandoned/restore
/comm/message/crqu
/comm/returns/configureproduct
/customerconnect/rfqs/configureproduct
/emaildirect/abandoned/restore
/freegift/cart/gurlgift
/index.php/advancedreports/chart/tunnel
/index.php/ajaxproducts/index/index
/index.php/campaigner/abandoned/restore
/index.php/comm/message/crqu
/index.php/comm/returns/configureproduct
/index.php/customerconnect/rfqs/configureproduct
/index.php/emaildirect/abandoned/restore
/index.php/freegift/cart/gurlgift
/index.php/madecache/varnish/esi
/index.php/qquoteadv/download/downloadCustomOption
/index.php/simplebundle/Cart/add
/index.php/supplierconnect/orders/update
/index.php/supplierconnect/rfq/update
/index.php/vendors/credit/withdraw/review
/madecache/varnish/esi
/qquoteadv/download/downloadCustomOption
/simplebundle/Cart/add
/supplierconnect/orders/update
/supplierconnect/rfq/update
/vendors/credit/withdraw/review
/webgility1234/webgility-magento.php
/webgility123/webgility-magento.php
/webgility_12/webgility-magento.php
/webgility_13/webgility-magento.php
/webgility_1/webgility-magento.php
/webgility1/webgility-magento.php
/webgility_2/webgility-magento.php
/webgility2/webgility-magento.php
/webgility_3/webgility-magento.php
/webgility3/webgility-magento.php
/webgility_bk/webgility-magento.php
/webgility_dev/webgility-magento.php
/webgilitydev/webgility-magento.php
/webgility/webgility-magento.php
rhoerr commented 5 years ago

With https://github.com/gwillem/magevulndb/pull/23 being merged, should we consider expanding the list with any of those probes that are likely to be module routes and are not already covered?

It'll make for noise on the list that isn't necessarily actually a vulnerable module--but that's probably preferable to things slipping through the cracks. We can fill the info in if/when we do hear from people using them.

I'll prep a PR with them at some point, if so.

AlterWeb commented 5 years ago

I scanned all our customers Magento shops for the routes listed by @gwillem. All the matches that I found are pointing to a vulnerability in the sense that they lead to the Magento admin panel without knowing the url of the admin panel. This vulnerability should be fixed by the SUPEE-6788 Patch, but because this feature is disabled by default (and a lot of owners leave it this way because modules stop working after they enable it) this can be used to track down the admin url for many installations.

I don't know if we have to add those modules to the list because it is just a first step to get into the admin panel. After finding the admin url they still have to guess or bruteforce the user credentials. If you think we should add those modules I can make a PR with modules that we know of having this problem (there are a lot more then just the url's mentioned here). If not, I think you can can excluded the following url's from this list because they don't have another vulnerability as far as I can tell (or at least in the versions we have):

/index.php/admin_awautorelated/adminhtml_blocksgrid/ /index.php/Organizer/Task/List/ /index.php/ExtensionConflict/Admin/List/index/ /index.php/awall_admin/additional/index/ /index.php/AdvancedStock_Misc/MassStockEditor/key/ /index.php/AdvancedStock/Products/Grid/ /index.php/Scanner/index/index/

gwillem commented 5 years ago

I agree with @AlterWeb to not add modules to the vulnerability list that are merely exposing the admin frontname.