Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

<p><b>[-] Software Link:</b></p><p><a href="http://magento.com/" rel="nofollow">http://magento.com/</a></p><p><br></p><p><b>[-] Affected Versions:</b></p><p>Version 1.9.2 and prior versions.</p><p><br></p><p><b>[-] Vulnerability Description:</b></p><p>The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,</p><p>which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:</p><p><br></p><pre class="">109. public function create($type, $set, $sku, $productData, $store = null) 110. { 111. if (!$type || !$set || !$sku) { 112. $this-&gt;_fault('data_invalid'); 113. } 114. 115. $this-&gt;_checkProductTypeExists($type); 116. $this-&gt;_checkProductAttributeSet($set); 117. 118. /** @var $product Mage_Catalog_Model_Product */ 119. $product = Mage::getModel('catalog/product'); 120. $product-&gt;setStoreId($this-&gt;_getStoreId($store)) 121. -&gt;setAttributeSetId($set) 122. -&gt;setTypeId($type) 123. -&gt;setSku($sku); 124. 125. if (!property_exists($productData, 'stock_data')) { 126. //Set default stock_data if not exist in product data 127. $_stockData = array('use_config_manage_stock' =&gt; 0); 128. $product-&gt;setStockData($_stockData); 129. }<br></pre><p><br></p><p>User input passed through the "productData" SOAP parameter is not properly validated before being<br></p><p>used in a call to the "property_exists()" function at line 125. This can be exploited by attackers</p><p>with valid API credentials to include and execute arbitrary PHP code (both from local or remote</p><p>resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation</p><p>of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.</p><p><br></p><p><b>[-] Solution:</b></p><p>Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.</p><p><br></p><p><b>[-] Disclosure Timeline:</b></p><p>[27/02/2015] - Vendor notified</p><p>[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release</p><p>[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability</p><p>[13/08/2015] - CVE number requested</p><p>[17/08/2015] - CVE number assigned</p><p>[11/09/2015] - Public disclosure</p><p><br></p><p><b>[-] CVE Reference:</b></p><p>The Common Vulnerabilities and Exposures project (cve.mitre.org)</p><p>has assigned the name CVE-2015-6497 to this vulnerability.</p><p><br></p><p><b>[-] Credits:</b></p><p>Vulnerability discovered by Egidio Romano of Minded Security.</p><p><br></p><p><b>[-] Original Advisory:</b></p><p><a href="http://karmainsecurity.com/KIS-2015-04" rel="nofollow">http://karmainsecurity.com/KIS-2015-04</a></p>