CSRF Attack & Session Hijack Vulnerability

Question

From the 1.8CE Alpha release notes:

The Magento web store has additional Cross Site Request Forgery (CSRF) protections, meaning an imposter can no longer impersonate a newly registered customer and perform actions on the customer's behalf.

and:

In earlier versions, Magento was vulnerable to a session fixation attack during the registration process. After logging in to their account, a registered user's session ID did not change. Therefore, if an attacker had knowledge of an unauthorized session ID and if that user successfully registers, the attacker was able to take over the newly registered account. Now, the session ID changes after successful registration, making unauthorized use of an account impossible.

If this is in the release notes, and I don't see a point-release on prior versions addressing this (am I looking in the wrong place?) - then does that mean that current pre-1.8 stores are potentially open to these attack vectors?

Source: http://www.magentocommerce.com/knowledge-base/entry/ce-18-later-release-notes

Answer 1

In short, yes. CE 1.7 is still vulnerable to those specific attacks because no security release has been issued which contains a patch.

In the case of the latter one, a session fixation attack, the change is an upgrade in the security practices which Magento already used to stay in line with current security best-practices. Not something likely to be issued to CE 1.7 if they do issue a patch with the CSRF fixes.

The real question is what exactly were these CSRF vulnerabilities which were fixed? Doubtless a good thing that they did not include specifics in the release notes, thus further jeopardizing all prior releases, but it would be nice to know for the sake of patching old implementations.

UPDATE #1: Upon reaching out to Magento to find out when they will be issuing patches for the above vulnerabilities, I received the following reply:

Allow me some time to research this further. I'm not sure if there are patches available for those two items, as they are listed in our system as product enhancements and not as bugs. I'll update you when I get more information.

I'll post back further details here as I get them, and will be doing my best to get patches issued since it seems that there are not currently any patches in existence.

UPDATE #2: After back and forth with the support team, I was able to obtain a proper patch for Magento EE 1.12.0.2. No patch was issued for Magento CE 1.7.0.2, and as far as the technician who looked into it internally for me knows, there are no plans to release an official patch for CE 1.7.x instead resolving the issues only in the upcoming CE 1.8 stable release.

As for the EE specific patch file, I cannot post it (or the patch application tool) here directly since it would most undoubtedly be in violation of NDA between Magento and myself personally and the company for which I work. The name of the relevant patch is: "PATCH_SUPEE-1513_EE_1.12.0.2_v1.sh" — If you have the Enterprise Edition or a client using it, you should be able to request this patch from the Magento support team along with a note about the CSRF vulnerabilities which it is supposed to fix.

For CE 1.7.0.2 users, I've taken the freedom to generate a patch file (based on the patch provided by Magento) which includes only the hunks of code which alter Magento CE 1.7.0.2 core code files. In normal fashion, it includes irrelevant bits of added comments and adjusted formatting along with the relevant code changes. Creating this required manually altering the original patch to apply it using the provided patch applying tool, then using git to generate a patch based on the applied changes.

The patch file which I've created can be downloaded from this gist: https://gist.github.com/davidalger/5938568

To apply the patch, first cd into the root of your Magento installation and run the following command: patch -p1 -i ./Magento_CE_1.7.0.2_v1-CSRF_Patch.diff

The EE specific patch included form key validation checks to Enterprise specific controllers, alterations to enterprise/default and enterprise/iphone template files to include form keys in the forms being used for the patched controller actions, and additional Full Page Cache funtionality to properly account for passing form keys back and forth on cached pages.

DISCLAIMER: I have NOT TESTED either the EE patch provided by Magento nor the patch I've uploaded to the linked gist. The patch provided in the referenced gist is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee that it functions in whole or part. I.e. use at your own risk, and take due diligence to test before deploying to a production environment. If you find issues with the patch, let me know and I'll update it.

Answer 2

I'm not 100% sure because I wasn't able to reproduce the issue but

meaning an imposter can no longer impersonate a newly registered customer

means that until now 'an imposter' could impersonate a newly registered customer.
I hope it is just 'semantics' but I think it means what you fear it means.