CVE-2020-5777
Description
MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by sending at least 151 simultaneous requests to the Magento website to trigger a "Too many connections" error, then use default magmi:magmi basic authentication to remotely bypass authentication.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dweeves/magmiPackagist | < 0.7.24 | 0.7.24 |
Affected products
1- Range: All versions prior to version 0.7.24
Patches
25c3d518464b0upgrade version, fix security issue
1 file changed · +6 −0
README.md+6 −0 modified@@ -1,6 +1,12 @@ [](https://gitter.im/dweeves/magmi-git?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FCTC7R3YUJVPQ) +magmi-git 0.7.24 +=== + +Security fix , remove magmi default authentication. +Force usage of magento admin login. + magmi-git 0.7.23 ===
dde71de5cfd5upgrade version, fix security issue
4 files changed · +11 −3
magmi/inc/magmi_auth.php+3 −1 modified@@ -32,7 +32,9 @@ public function __construct($user,$pass){ public function authenticate(){ - if (!$this->_hasDB) return ($this->user == 'magmi' && $this->pass == 'magmi'); + if(!$this->_hasDB) { + die("Please create magmi.ini file in magmi/conf directory , by copying & editing magmi.ini.default file and filling appropriate values"); + } $tn=$this->tablename('admin_user'); $result = $this->select("SELECT * FROM $tn WHERE username = ?",array($this->user))->fetch(PDO::FETCH_ASSOC); return $this->validatePass($result['password'],$this->pass);
magmi/inc/magmi_version.php+1 −1 modified@@ -1,5 +1,5 @@ <?php class Magmi_Version { - public static $version="0.7.23-git"; + public static $version="0.7.24-git"; } \ No newline at end of file
magmi/ReleaseNotes.txt+6 −0 modified@@ -1,3 +1,9 @@ +------------------------------------------------ +- RELEASE NOTES FOR MAGMI 0.7.24 - +------------------------------------------------- + +IMPORTANT Security fix, remove default login magmi:magmi since it can be exploited. + ------------------------------------------------ - RELEASE NOTES FOR MAGMI 0.7.23 - -------------------------------------------------
magmi/web/security.php+1 −1 modified@@ -39,7 +39,7 @@ function authenticate($username="",$password=""){ if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate:Basic realm="Magmi"'); header('HTTP/1.0 401 Unauthorized'); - echo 'You must be logged in to use Magmi'; + echo 'You must be logged into magento admin to use Magmi'; die(); } else { if (!authenticate($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])){
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g475-pch5-6wvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5777ghsaADVISORY
- github.com/dweeves/magmi-git/commit/dde71de5cfd505fe78e5caf21d6531b61450a16fghsaWEB
- www.tenable.com/security/research/tra-2020-51ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.