Critical vulnerability in Magento

Blog Categories

Basket of services

Company news

Thursday, 24 December 2015: Merry Christmas and Happy New Year!
Monday, 20 April 2015: Accepting payments through payment system Webmoney and Z-Payment restored
Saturday, 18 April 2015: Unavailable accepting payments via Webmoney and Z-Payment
Thursday, 05 March 2015: To order new services are available - DNS hosting and secondary DNS server
Wednesday, 25 February 2015: Added new ways to pay for services

Recent blog posts

Critical vulnerability in Magento

Thursday, 23 April 2015 12:57

As a platform for e-commerce Magento, which works on the basis of a huge number of online stores found critical vulnerability, allows an attacker to execute arbitrary PHP-code on the server and get full access to the data online store, including information on the customer's credit card. The attack can be accomplished without committing authentication. The problem is present in the base of the engine Magento and appears in the default configuration. The problem was identified in February and has already been fixed in the update SUPEE-5344, while for non-disclosure agreement about the vulnerability made public only now.

The problem is that Magento releases and patches to address vulnerabilities are supplied separately, ie, the user must install the release, and then track the emergence of patches and apply them. Many users appreciate the relevance of their Magento system version number and do not care about installing patches, potentially making them vulnerable system. For example, the proposed currently Magento 1.9.1.0 release does not include the fix.

We strongly recommend that you immediately patch your sites on Magento. Download patches for different versions of the system can be here.

For help, you can always contact our support team.

Tagged under:

Read: 2825 times