CVE-2021-33353
📋 TL;DR
This CVE describes a directory traversal vulnerability in Wyomind Help Desk Magento 2 extension that allows attackers to execute arbitrary code via file attachment directory settings. Attackers can exploit this to upload malicious files outside intended directories, potentially leading to remote code execution. All Magento 2 installations using Wyomind Help Desk extension versions 1.3.6 and earlier are affected.
💻 Affected Systems
- Wyomind Help Desk Magento 2 extension
📦 What is this software?
Help Desk by Wyomind
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with attacker gaining full control over the Magento installation and underlying server, potentially leading to data theft, ransomware deployment, or use as a foothold for lateral movement.
Likely Case
Remote code execution allowing attackers to deface websites, steal customer data, install backdoors, or deploy cryptocurrency miners.
If Mitigated
Limited impact with proper file system permissions and web application firewalls blocking traversal attempts, potentially resulting only in failed exploitation attempts.
🎯 Exploit Status
Exploitation requires attacker access to file attachment functionality, which typically requires some level of authentication or access to the help desk interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.7
Vendor Advisory: https://www.wyomind.com/magento2/helpdesk-magento-2.html
Restart Required: No
Instructions:
1. Log into Magento admin panel. 2. Navigate to System > Web Setup Wizard > Extension Manager. 3. Search for Wyomind Help Desk. 4. Update to version 1.3.7 or later. 5. Clear Magento cache via System > Cache Management.
🔧 Temporary Workarounds
Disable extension
linuxTemporarily disable the Wyomind Help Desk extension until patching is possible
php bin/magento module:disable Wyomind_HelpDesk
Restrict file upload directory permissions
linuxSet strict permissions on Magento's media and var directories to prevent file execution
chmod 755 pub/media
chmod 755 var
find pub/media -type f -name '*.php' -exec chmod 644 {} \;
find var -type f -name '*.php' -exec chmod 644 {} \;
🧯 If You Can't Patch
- Implement web application firewall rules to block directory traversal patterns in file upload requests
- Disable file attachment functionality in the Help Desk extension configuration
🔍 How to Verify
Check if Vulnerable:
Check installed extension version via Magento admin panel: Stores > Configuration > Advanced > Advanced > Wyomind Help DeskCheck Version:
php bin/magento module:status | grep Wyomind_HelpDeskVerify Fix Applied:
Verify extension version shows 1.3.7 or later in Magento admin panel and test file upload functionality with traversal attempts📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to non-standard directories in Magento logs
- Multiple failed file upload attempts with directory traversal patterns
- PHP file executions from unexpected locations in web server logs
Network Indicators:
- HTTP POST requests to file upload endpoints containing '../' or similar traversal sequences
- Unusual outbound connections from Magento server following file uploads
SIEM Query:
source="magento.log" AND ("../" OR "..\\" OR "%2e%2e%2f") AND "upload"