Magento is an eCommerce platform built on open source technology which provides online merchants with a flexible shopping cart system, as well as control over the look, content and functionality of their online store. Magento offers powerful marketing, search engine optimization, and catalog-management tools.
Enthusiasm for Cyber Security Researching is expanding up step by step I have a tons of good companions who helped me in web application pentesting. Some days prior I opened Magento site not for pentesting I don’t think whether I am ready to search for any defect in their web application. However those days I was trying the rear of web application. I just made a PHP mailing script and transfer it on web based facilitating just to check whether Email Spoofing is conceivable or not in Magento.
<?php $to = "Muhaddisshah@gmail.com"; $subject = "Email Spoofing Test"; $txt = "This is Email Spoofing"; $headers = "From: firstname.lastname@example.org"; mail($to,$subject,$txt,$headers); ?>
Subsequent to testing I came to realize that there web mail server is defenseless against Email Spoofing and not secured with SPF and DMARC records. As a policy of Magento in BugCrowd they approve Email/Spamming Vulnerabilities. I reported this imperfection to Magento, however my report got duplicate and they are already working to resolve it. In one month they resolve this issue and acknowledged me by including my name in their Security Hall of fame page (#178).They don’t pay me bug bounty because this report was duplicate that is the reason they just added my name in their Hall of fame. Much obliged, if you have anything related to Cyber Security don’t hesitate to comment your opinions.