A critical vulnerability has been discovered in Magento. This vulnerability impacts most Magento shops online and you might be one of them. It was found that most of the Magento users are still not aware of this vulnerability and their websites remain exposed to threats till date. Read on for more information.
Why the vulnerability is critical?
Code named Magento Shoplift, this vulnerability allows an unauthenticated attacker to execute a PHP code on the web server. In the process of doing so, all security mechanisms can be bypassed and the attacker can gain full control of the store along with its database.
The attack is not restricted to any specific plugin or theme. Instead, the vulnerabilities exist in the core Magento code, thereby affecting any installation of both Community and Enterprise Editions.
Vulnerable versions of Magento
Check Point researchers discovered the vulnerabilities in the Magento ecommerce platform; confirmed vulnerable versions being 126.96.36.199 CE and 188.8.131.52 EE. However patches are made available for earlier versions of both Community as well as Enterprise Editions.
Herein is a quick list of versions:
|Community Edition||Enterprise Edition|
|1.4.0.x – 1.5.0.x||184.108.40.206 – 220.127.116.11|
|1.6.1.x – 1.6.2.x||18.104.22.168 – 22.214.171.124|
|1.8.x – 1.9.x||1.13.x – 1.14.x|
How to protect against vulnerability?
It is recommended that your Magento software security is updated before security risk is publicized. Magento has released a patch SUPEE-5344 (can be found on Magento site here) for this and started warning its users to apply the same.
Other than applying the patch we also request businesses to check for any unknown files or code in their web server document root directory and take appropriate actions.
For more information or any further assistance please contact us at http://www.i95dev.com/contact/ or call us on 301.760.7499.