April 20, 2015
Magento Shoplift Vulnerability
Announced recently, a critical vulnerability has been revealed affecting the mega popular Magento ecommerce framework.
The Magento team revealed a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks.
This means hundreds of thousands of websites are vulnerable right now, worst yet they are Ecommerce websites.
This means that they are used to sell online, capturing personal identifiable information (PII), including credit / debit card information.
This has implications in terms of PCI DSS and also fraud prevention systems across the UK and indeed the internet.
A very serious vulnerability, it allows an attacker to run any command they want on the server, allowing them to take full ownership of the vulnerable online shop and it’s associated web server.
Full Disclosure Going Live in a couple of days
This vulnerability was discovered by research teams and reported to Magento.
They gave an assurance details would not be released “to the wild” to allow Magento sufficient time to fix, but this time is up.
Once the details are released, it is expected that within hours there will be a working Proof of Concept (PoC) available for the masses.
The severity of this issue cannot be understated, we cannot stress the importance of patching immediately.
ABL Networks have so far patched over 20 Magento installations.
You need to update and update now. We can do this for you if needed. Get in touch now.
Article Posted 20/04/2015 @ 12:34