Magento 2.0.1 Security Update

During customer registration on the storefront, a user can provide a user name that contains JavaScript code. Magento does not properly validate this name and executes it in the Admin context when editing the user in the backend. This JavaScript code could potentially steal the administrator session or act on behalf of a store administrator.

With access to any CMS functionality, a user with administrator permissions can use blocks to access information stored in cache. This information includes store configuration, encryption keys, and database connection details. In some cases, a user might be able to execute code.

A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.

You can manipulate query parameters to cause blind SQL injection. Blind SQL injection allows a user to test names or values of database fields, or to download the values of database fields in small chunks and, as a result, use multiple queries to download (but not modify) important parts of Magento database.

The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.

When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator.

Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store.

A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts.

Magento sends an unfiltered form key cookie value to the web server as part of the request, and the cookie value is reflected back as part of the form. Reflected XSS issues can lead to attacks in which a trusted site is used in phishing or spam campaigns (for example, redirecting a user to a phishing site).

Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart.

JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.)

A user can easily bypass the MaliciousCode filter function when entering HTML code. However, Magento rarely uses this filter, and none of its current usages allow unauthenticated user input.