Critical vulnerability in Magento

Thursday, 23 April 2015 12:57

As a platform for e-commerce Magento, which works on the basis of a huge number of online stores found critical vulnerability, allows an attacker to execute arbitrary PHP-code on the server and get full access to the data online store, including information on the customer's credit card. The attack can be accomplished without committing authentication. The problem is present in the base of the engine Magento and appears in the default configuration. The problem was identified in February and has already been fixed in the update SUPEE-5344, while for non-disclosure agreement about the vulnerability made public only now.

The problem is that Magento releases and patches to address vulnerabilities are supplied separately, ie, the user must install the release, and then track the emergence of patches and apply them. Many users appreciate the relevance of their Magento system version number and do not care about installing patches, potentially making them vulnerable system. For example, the proposed currently Magento 1.9.1.0 release does not include the fix.

We strongly recommend that you immediately patch your sites on Magento. Download patches for different versions of the system can be here.

For help, you can always contact our support team.


Leave a comment

  • Payment
    Methods:
  • visa
  • mastercard
  • qiwi
  • webmoney
  • yandex money
  • sberbank
  • mts bank
  • zpayment
  • liqpay
  • alfabank white
Copyright © 2012 - 2019 WebPatron Ltd. All rights reserved.