Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.

First Patch!

Patching first since 1997!

Re: First Patch!

[alexandre]

Is that you?

Default configuration not vulnerable

The recommended fix is to enable 'Add Secret Key to URLs', which is the default configuration. So only sites that went in and disabled this feature are vulnerable, or am I missing something?

Re: Default configuration not vulnerable

It is also only an issue for admin login accounts. Nothing to see here.

Re:Default configuration not vulnerable

[campuscodi]

Bingo. Overhyped media article. It was obviously written by a guy that never installed Magento in his life.

Re:What the fuck

[mars-nl]

You're trolling, but ok... RTFS:

...the commercial version of the platform, but warns both share the same underlying vulnerable code...

So even if you pay, you have the same problem.

Okay, who else?

[Chris+Mattern]

Who else misread that as "Unpatched Magneto Zero Day"?

Re:Okay, who else?

[Ramley]

Yep *sigh* :-/

Re: Okay, who else?

May I suggest attending the Derek Zoolander Center For Kids Who Can't Read Good And Wanna Learn To Do Other Stuff Good Too?

Re:Okay, who else?

[SeaFox]

Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did.

Re:Okay, who else?

[nospam007]

"Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did."

Just Google 'Dyslexia' if you want to know the reason.

Re: Robin Williams Paul Walker Bruce Lee assassina

I think I'll have some Doritos with my aluminum foil wrapped sandwich for lunch today.

Re:What the fuck

They have an Enterprise version which they sell and I doubt they are relying on "hobbyist programmers" to maintain it for them. Not to mention there are some excellent "hobbyist programmers" who work on the most widely used open source software being used all over the world. And the people reporting the vulnerability says they only reviewed the Community Edition and not the Enterprise Edition but some how know the Enterprise version has the same vulnerability. How exactly do the know the vulnerability is in the Enterprise edition? Community editions of open source software are "use at your own risk" while having a tendency to fall into the category of "you get what you pay for".

Still a zero-day?

[FrankHaynes]

Is it still a zero-day exploit if it's the next day??

I mean, the linked article on ThreatPost is dated April 13 which was 2 days ago so doesn't that make this at least a 2-day exploit by now?

Re:Still a zero-day?

[SeaFox]

I would say Slashdot operates on pothead time, but that would only be an offset of a couple hours.

Re:Still a zero-day?

As long as there is not an official patch available I think you can regard it as a zero-day.

Re: Still a zero-day?

It's not a zero-day because it was reported to the vendor in November.

Re:Still a zero-day?

Which means all bugs are zero-day which means zero-day is a meaningless buzzword.

derp

Can we patch Trump?

Trump is a dangerous zero day exploit for our nation. You never know when one of his reckless statements will lead to disaster.

Re: Can we patch Trump?

Buttery males?

Re: Robin Williams Paul Walker Bruce Lee assassina

I think the Molasses Act is the odd one out. You can "prove" anything and hence nothing with numerology. It's a source of deep meaning only for the foolish and deranged.

Unsurprising

[caferace]

When I looked at Magento it was a sieve peppered with .50 caliber holes. I passed.

Re: Unsurprising

There's good pay being a magento tech though.

Re: Unsurprising

We push our stores through a full pen test (granted before this exploit) and all padded which surprised us all!
AC because well risk mitigation.

Re: What the fuck

So when you enter your information into an open source browser and send it to an open source server, you draw the line at the website software?

This is Why You Don't Give your CC on the Internet

And especially not to some podunk mom and pop operation with their homespun "e-commerce" platform that their grandson set up for them five years ago.

Re:Robin Williams Paul Walker Bruce Lee assassinat

Damn assburger trumpanzees need to be banned from the internet.