Magento Releases Patch to fix Multiple Vulnerabilities

If you are using Magento to power your online store, then it might be a very good idea to make sure you are up to date with your patches, because hundreds of thousands of websites are at risk of hijacking attacks. made possible by a just-patched vulnerability in the Magento ecommerce platform. If this seems like a déjà vu, then it is because just last year Magento was attacked by another exploit.

The bad news is that the stored cross-site scripting (XSS) bug is present in almost all Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3. The big problem is that this allows attackers to enter a JavaScript code into the customer registration form. All the attacker has to do is click submit, and the script is executed directly into the store owners account, this results in the attacker being able to take over control of the store.

According to Magento, the problem was that, “During customer registration on the storefront, a user can provide a user name that contains JavaScript code. Magento does not properly validate this name and executes it in the Admin context when editing the user in the backend. This JavaScript code could potentially steal the administrator session or act on behalf of a store administrator”.

“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”

Vulnerability Disclosure Timeline:

Now you might think that Magento rushed to get the vulnerability patched, but according to a timeline released by Sucuri, they informed the company of the risk in November, and a patch wasn’t released until just recently, you can see the full timeline below:

  • November 10th, 2015 — Bug discovered, initial report to Magento’s security team
  • December 1st, 2015 — No response from Magento. Requested confirmation of our previous email.
  • December 1st, 2015 — Magento acknowledge receipt of the report.
  • January 7th, 2016 — Request an ETA, been 2 months since original report.
  • January 11th, 2016 — Magento answers that the patch is ready, but no ETA available.
  • January 20th, 2016 — Magento releases patch bundle SUPEE-7405, which fixes the issue
  • January 22th, 2016 — Sucuri Public Disclosure of Vulnerability.

What does this mean?

If you still need to install the latest patch, then you should really do it sooner than later, because otherwise you run the risk of exposing yourself to a potentially very dangerous threat. As with any other security patch, there is a reason it was released, so don’t play Russian roulette with your business.


Originally published at ecommerce-platforms.com on January 29, 2016.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.