I recently became aware of a vulnerability that appears to be present in a relatively high percentage of Magento stores, including stores that have applied all security patches released by Magento. The vulnerability is caused by 3 flash files being compiled with a vulnerable version of flex, the underlying issue with flex was assigned the CVE number CVE-2011-2461 and you can find a good explanation of it on the mindedsecurity blog.

Magento officially addressed the issue in the release of CE 1.9.1.0 by removing editor.swf and updating the version of flex used to compile uploader.swf and uploaderSingle.swf. There was however very little publicised information about the issue either at the time, or since. In fact the only reference I can find to the issue on the official Magento site is the statement “Removed an .swf file from the Magento distribution because of security issues.” in the EE 1.14 release notes). This therefore means that anybody on a core version of Magento older than 1.9.1.0 is likely vulnerable even if all security patches are applied. Stores using newer versions of Magento may also be vulnerable if their deployment strategy means that the editor.swf file was not removed.

The potential severity of this issue is quite high. Since it allows for a bypass of SOP, if a user of your site navigates to third party sites in a browser whilst logged into your site, that third party site can potentially read the contents of pages on your site as that user (account pages of customer, admin pages in the case of admins). This makes it possible to extract the form key from the page and perform further attacks completely bypassing the security element the CSRF form_key adds.