Skip to main content

Critial XSS flaws in Magento leave millions of ecommerce sites at risk



Critical XSS (Cross-Site Scripting) vulnerabilities have been found in both version 1 and 2 of the popular Magento ecommerce platform.
If you run a Magento website, you should update it now.
20 vulnerabilities have been fixed in the SUPEE-7405 patch bundle for the 1.* branch, of which two are marked Critical and four High. Affected versions include all versions of Magento Community Edition prior to 1.9.2.3 and all versions of Magento Enterprise Edition prior to 1.14.2.3.
There are 11 vulnerabilities fixed in Magento 2.0.1 Security Update for the 2.* branch, of which one is Critical and three High. Affected versions in the 2.* branch include all versions of Magento Community Edition and Magento Enterprise Edition prior to 2.0.1.
For as long as there have been websites, the vast majority of vulnerabilities have come about because of a failure to handle incoming data properly and the list of Magento vulnerabilities is no exception.
The most serious though are the Critical XSS vulnerabilities.
Each of them could be used to take over vulnerable ecommerce sites, putting the stores’ users and their credit card data at risk, as well representing a serious threat to the business behind the store.
All an attacker’s software needs to do is register for a vulnerable store using a spiked email address (or a spiked username if it’s running version 2).
During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.
Magento is extremely popular and this means every Magento user should be on their guard.
Criminals aren’t interested in hacking just one or two stores, and they don’t care if your site’s a whale or a minnow. They use software to target and take over as many sites as they can in the most cost-effective way so they can harvest customer data, steal credit cards and turn the sites in to distribution channels for malware and spam.
In other words, it’s a numbers game.
According W3Techs, Magento is running on about 1.3% of all sites, making it the fourth most popular website CMS (Content Management System) and the only one in the top five that’s a specialist ecommerce system.
A 1.3% share of the web gives Magento an installed base of roughly 13 million websites – potential targets that are all exploitable in the same, repeatable, way.
The sooner the criminals can start their attacks, the more chance they have of catching people who haven’t updated their software. Web Application Firewalls can help but patching quickly is essential.
In October 2014, automated attacks on sites running vulnerable versions of Drupal, another popular content management system, began within a few hours of a critical vulnerability being revealed.
If you’re running a Magento store, patch it now.
If you want to know more about keeping your Magento site secure, you should start with the Magento Security Best Practices document.

Comments

  1. I want to to thank you for this excellent read!! I definitely enjoyed every bit of it.I have you bookmarked to look at new stuff you.Ecommerce Magento

    ReplyDelete

Post a Comment

Popular posts from this blog

Here Are 7 Brilliant Cheat Sheets For Linux/Unix

There's nothing better than a cheatsheet when you are stuck and need a reference. So here bringing to you 7 brilliant free cheat sheets. 




1. Unix Tool Box: An incredibly exhaustive reference for all things Linux. This document is a collection of Unix/Linux/BSD commands and tasks which are useful for IT work or for advanced users.

2. One page Linux Manual: Great one page reference to the most popular Linux commands, it is a summary of useful Linux commands.

3. Linux Reference Card: One great reference published by FOSSwire.

4. Linux Command Line Cheat Sheet: This is an interestingly sorted and helpful cheat sheet by cheatography.

5. Linux Command Line Tips: This is a linux command line reference for common operations. Cleanly sorted and well described.

6. Treebeard’s Unix Cheat Sheet: A great reference that shows command comparisons with that of DOS. So if you are someone who was a DOS user and has switched to Linux, this is the best one too have!

7. Linux Shortcuts and Commands:…

WhatsApp is illegal, will soon banned in India : Government

WhatsApp could have accidentally entered into troubled waters here in India by enabling its end-to-end encryption for all. The new security feature by WhatsApp is not what is required by the Indian telecom rules and WhatsApp could face a ban, if the rules are not adhered to. But not yet.
In India, companies need to follow the country’s rules and adhere to specific types of encryption, which WhatsApp does not currently use. WhatsApp’s end-to-end encryption on its chat service means that WhatsApp or anyone else won’t be able to crack open its contents.  Only the sender and the recipient are able to read the encrypted data. WhatsApp uses a 256-bit key for encryption of all chat messages, which is only known to the sender and the recipient.
Why is it not possible for WhatsApp to help decrypt users’ messages? "No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us," WhatsApp founders Jan Koum and Brian Acton wrote on their blog. How…

3 Mega Acquisitions in last week affects the Internet Space of India

Qihoo 360 buys Opera in $1.2 Billion Opera Software intends to accept a $1.2 billion acquisition offer from a group of Chinese companies. The Chinese consortium includes Internet security company Qihoo 360, Internet firm Beijing Kunlun (which invested roughly$93 millioninto Grindr earlier in the year) and investment group Golden Brick and Yonglian. According to Opera, the $1.2 billion is a 56 percent premium over Opera's share price during the last 30 trading days. Despiteclaiming350 million users, the company's browser has struggled in the oversaturated Western market. China could be a profitable arena for Opera, in part because Google's Chrome browserdoes not come preinstalled on Android phones in China like it does elsewhere. In addition, doing business in China without local partners is nigh impossible, but Opera could leverage the networks of Kunlun and Qihoo 360 if the deal goes through.


Snapdeal Buys Freecharge in $400Million e-commerce marketplace Snapdeal has acquired …