Magento attacks uncanny hacks-men with shopper-popper patch

Independent security researcher Nethanel Rubin has reported a since-patched vulnerability in eBay’s Magento e-commerce platform that could have allowed hackers to compromise retailers.

The vulnerability (CVE-2016-4010) is fixed in version 2.0.6 issued overnight. Magento handed the flaw a 9.8 out of 10 severity score explaining that the platform installation code is no longer accessible once the installation process is complete.

“Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable, and many administrators would not change the permissions on this directory after installation, ” the company says.

Rubin (@na7irub), an Israeli researcher who has previously, found holes in the platform and many others, says attackers can execute arbitrary PHP code in unpatched systems.

“The vulnerability allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated,” Rubin says.

“This vulnerability works on both the Community Edition and Enterprise Edition of the system.

“I recommend all Magento administrators to update their installations to the 2.0.6 patch.”

The chained attack combines smaller vulnerabilities which Rubin has detailed in full, and relies on REST or SOAP being left enabled from default which is the case in most installations.

Much of the fault lies with the sizeable and dynamic API for each Magento module that customers use to run things like shopping carts.

Rubin praised Magento for its code overhaul which has seen vast re-writing, code improvements, and a bolstering of security. It was a “huge step forward” but also something of a teething pain for Magento developers and vulnerability researchers. ®

Sponsored:
Virtual application patterns

via The Register http://bit.ly/24YUgqJ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s