The 2015 Pwnie Nominee For Best Server-Side Bug


Credit: Netanel Rubin

Netanel took the most popular e-commerce platform in the world, holding 30% of the web’s online shops, and ripped them a new one, with a vulnerability in Magento core, affecting default installations (or practically any installation) since 2009. The exploit itself is built on a cascade of vulnerabilities in Magento’s reflection and dynamic code loading mechanisms (all discovered by Rubin), and concludes with the cunningly innovative detection dodging technique of running code using PHP’s ‘phar://’ stream wrapper. The exploit, allowing silent unauthenticated remote code execution on hundreds of thousands of online shops, was dubbed “Shoplift”, and awarded the maximum allowed bounty per the eBay (Magento owners) program – 20,000 USD, wreaking havoc in the e-commerce admin world. Recent Magento compromises may be attributed to these findings. On top of it all, the public disclosure and exploit were released on the day of Magento’s annual developer conference.