#Polyshell Vulnerability

Polyshell is a Magento 2 vulnerability present in all current versions of Magento 2 (including 2.4.8-p4). Which allows potential attackers to abuse the products custom options functionality to upload malicious files to the server. Which in turn, can be used to achieve remote code execution (RCE) on misconfigured servers.

#How to check if your store is Vulnerable to Polyshell

#RCE Vulnerability

1. Create a file under pub/media/custom_options/polyshell.php with the following content:

<?php echo 'PolyShell Test'; ?>

2. Attempt to access the file via the browser at https://yourstore.com/media/custom_options/polyshell.php.
3. If you can access the file and see the “PolyShell Test” message, then you are vulnerable to RCE and need to adjust your server configuration to prevent executing non trusted PHP files.

#File Upload Vulnerability

You are vulnerable if the following conditions apply:

• You are not running a proactive WAF such as Sansec Shield
• You are running a version of Magento below 2.4.9-alpha3 / 2.4.9-beta1
• You have not manually patched the vulnerability (see next section for patching details)

#How to patch PolyShell

#RCE Mitigation

1. Cross reference your nginx configuration with the official distributed sample configuration. Specifically the following sections are what protects you against this attack:
   • deny all within sublocation in /pub/ covering /custom_options/ - https://github.com/magento/magento2/blob/2.4-develop/nginx.conf.sample#L104
   • /media/custom_options/ specifically denied as a separate location - https://github.com/magento/magento2/blob/2.4-develop/nginx.conf.sample#L200
   • Only trusted PHP entry points are passed to the FPM backend - https://github.com/magento/magento2/blob/2.4-develop/nginx.conf.sample#L211

#File Upload Mitigation

1. Run a proactive WAF such as Sansec Shield.
2. Patch your codebase with one of the following approaches, depending on your preferences
   • Apply the official Adobe commit that introduced the fix for this vulnerability
   • Apply a community made/maintained minimal patch
   • Install a third party module that applies the patch via plugins markshust/magento-polyshell-patch

#Ansible task to help check at scale

# tasks/healthchecks/security/polyshell.yml
---
- name: Create our PolyShell test file
  tags: polyshell
  ansible.builtin.copy:
    dest: "{{ project_root }}/pub/media/custom_options/polyshell-test.php"
    content: "<?php echo 'PolyShell Test'; ?>"

- name: Check if we can access the PolyShell test file
  tags: polyshell
  delegate_to: localhost
  register: polyshell_response
  failed_when: false
  ansible.builtin.uri:
    url: "https://{{ project_domain }}/media/custom_options/polyshell-test.php"
    method: GET
    return_content: true
    validate_certs: false
    http_agent: "SamJUK-Healthcheck/1.0"

- name: Assert PolyShell Vulnerability Status
  tags: polyshell
  delegate_to: localhost
  ansible.builtin.assert:
    that:
      - polyshell_response.status != 200 or 'PolyShell Test' not in polyshell_response.content
    fail_msg: "Store is VULNERABLE to PolyShell. See: https://www.samdjames.uk/docs/platforms/magento/security/polyshell/ for details."
    success_msg: "Store is NOT vulnerable to PolyShell."