Update your Magento online store before someone checks out your data

By on
Update your Magento online store before someone checks out your data

A bug in the popular Magento ecommerce software gave attackers practically free rein over online stores, so make sure yours has been patched.

Web security company Securi discovered and reported the bug last November, and a patch was released by Magento at the end of last week.

The problem, roughly speaking, was that the order template allowed attackers to embed commands in what was supposed to be the customer's email address, and these commands were executed when an admin user examined the order in the administration panel.

While Securi only revealed a harmless demonstration of the way this works, the company says it "could be used by attackers to take over your site, create new administrator accounts, steal client informations, anything a legitimate administrator account is allowed to do."

The company warned that this issue affects almost every installation of Magento CE or earlier, and Magento EE

The vulnerability is now public knowledge, so if you use Magneto it is important that you install patch bundle SUPEE-7405, or make sure that whoever looks after the technical side of your Magento-based store has done that for you.

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?