Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.

First Patch!

Patching first since 1997!

Re: First Patch!

[alexandre]

Is that you?

What the fuck

Who is using open source software for e-commerce? Jesus christ. They should post this information on the site so you know enough not to input credit card information into that system. That is just asking for trouble. Entrusting sensitive information by software created and maintained by hobbyist programmers... well, let's just say you get what you pay for, and this is a perfect example of that.

Re:What the fuck

[mars-nl]

You're trolling, but ok... RTFS:

...the commercial version of the platform, but warns both share the same underlying vulnerable code...

So even if you pay, you have the same problem.

Re:What the fuck

They have an Enterprise version which they sell and I doubt they are relying on "hobbyist programmers" to maintain it for them. Not to mention there are some excellent "hobbyist programmers" who work on the most widely used open source software being used all over the world. And the people reporting the vulnerability says they only reviewed the Community Edition and not the Enterprise Edition but some how know the Enterprise version has the same vulnerability. How exactly do the know the vulnerability is in the Enterprise edition? Community editions of open source software are "use at your own risk" while having a tendency to fall into the category of "you get what you pay for".

Re: What the fuck

So when you enter your information into an open source browser and send it to an open source server, you draw the line at the website software?

Default configuration not vulnerable

The recommended fix is to enable 'Add Secret Key to URLs', which is the default configuration. So only sites that went in and disabled this feature are vulnerable, or am I missing something?

Re: Default configuration not vulnerable

It is also only an issue for admin login accounts. Nothing to see here.

Re:Default configuration not vulnerable

[campuscodi]

Bingo. Overhyped media article. It was obviously written by a guy that never installed Magento in his life.

Robin Williams Paul Walker Bruce Lee assassinated.

http://t2.gstatic.com/images?q=tbn:ANd9GcTPlfLhFarHiTotB_v5xKE3yewLH_6EbLN_EtBrHlj8y9uLDfTV

The illuminati use light to refer to themselves, and their ejaculate (see also 'Hide & Seek', either the movie, or the song)

Robin Williams was killed 32 days after his last movie, which only grossed 32,000 dollars.

How does a movie about a gay man, revealing himself, in hollywood, starring Robin Williams, being his last 'work', gross $32k?

It is a perversion of the scripture 'a day is a thousand' a hallmark of sabbateans; mixing the profane, and the sacred.

Both Bruce Lee (32 years), and Paul Walker (32 movies) were killed surrounding a 32.

Bruce Lee gave hope to minorities.
Paul Walker was shining light on 'Easy Meat' (underage rape of girls in England, see 'Vehicle 19')
They seem to have been planning it since 'Tokyo Drift'. In 'Brick Mansions', just before the van crash, Walker says:

Steerings gone.
Brakes are gone.
Now we're gone.

The script has 'Work on it!' instead of 'New we're gone.', and if you listen, it seems to be spliced in later on.

Read more: http://www.springfieldspringfield.co.uk/movie_script.php?movie=brick-mansions

Also the confluence of the name 'Walker' is interesting:

ghw bush, Luke skywalker, Walker Texas Ranger. Name for zombies (walkers). Name for 'star' wars vehicles (walkers).

The occult believes that if you sacrifice someone who has done 'work' involving a 33, that you will ascend to being a deity when you die, like Christ.

33rd degree 'Free' Masons:
stalin, pike, la fayette, etc.
trinity test site is on the 33rd parallel
some execution chambers, and military bases are on, or near the 33rd parallel

1933:
dachau completed
Mt. rushmore dedicated
Austrian Paraliment becomes a dictatorship
enabling act / reichstag fire makes Hitler chancellor
SS formed (for 'sabbatai sevi', see also 'secret service', etc.)
Vatican signs treaty with Hitler
FDR sworn in; FDR attempted assassination
Business Plot attempted to turn U.S. into dictatorship
Prescott (Intel?) Bush implicated as the money man
Operation Northwood (Intel, Northwood)
Maj Gen Smedley Butler was likely assassinated. Died on 4/21 (probable target of 4/20 for the poison) of what appears to be poisoning by the OSS before the outbreak of WWII. Claimed to be 'likely cancer of the upper GI tract'.
'War is a Racket' circulated in the millions, would need to be removed for all people to fully support WWII.
NISSAN founded (same name as jewish month)

White Sea–Baltic Canal opens (built by slaves, 12,000 were 'sacrificed')
First U.S. female cabinet member
Civilian Conservation Corps (CCC) steals the natural resources of the nation from its people from 33 to 42. 42 being a number indicating wrath, or judgment.
Pakistan Declaration / Pakistan National Movement to create 2 states in India.
'Partition of India' / 'Radcliffe Line' displaces millions along religious lines in 1947, which keeps both controllable, and distracted.
8 day bank 'holiday' (holy day) "you won't get your money"
8 is important to the occult
Owning bullion is outlawed / U.S. goes off the gold standard
First hundred days of the 'New Deal' (New / Neo-Con etc. is honorable mention to the Egyptian deity 'Nu')
Prohibition repealed

Golden Gate Bridge contruction begins
Gold indicating 'Central Authority' as in 'Golden Horde' 'Golden Army'
Gate indicating Babylon Bab=Gate "Gate of the Gods" (Star Gate / IShtarGate), etc.

42 offices for Jones Day throughout the Earth
420 marijuana police code
42 days

Okay, who else?

[Chris+Mattern]

Who else misread that as "Unpatched Magneto Zero Day"?

Re:Okay, who else?

[Ramley]

Yep *sigh* :-/

Re: Okay, who else?

May I suggest attending the Derek Zoolander Center For Kids Who Can't Read Good And Wanna Learn To Do Other Stuff Good Too?

Re:Okay, who else?

[SeaFox]

Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did.

Re:Okay, who else?

[nospam007]

"Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did."

Just Google 'Dyslexia' if you want to know the reason.

Re: Robin Williams Paul Walker Bruce Lee assassina

I think I'll have some Doritos with my aluminum foil wrapped sandwich for lunch today.

Still a zero-day?

[FrankHaynes]

Is it still a zero-day exploit if it's the next day??

I mean, the linked article on ThreatPost is dated April 13 which was 2 days ago so doesn't that make this at least a 2-day exploit by now?

Re:Still a zero-day?

[SeaFox]

I would say Slashdot operates on pothead time, but that would only be an offset of a couple hours.

Re:Still a zero-day?

As long as there is not an official patch available I think you can regard it as a zero-day.

Re: Still a zero-day?

It's not a zero-day because it was reported to the vendor in November.

Re:Still a zero-day?

Which means all bugs are zero-day which means zero-day is a meaningless buzzword.

derp

Can we patch Trump?

Trump is a dangerous zero day exploit for our nation. You never know when one of his reckless statements will lead to disaster.

Re: Can we patch Trump?

Buttery males?

Re: Robin Williams Paul Walker Bruce Lee assassina

I think the Molasses Act is the odd one out. You can "prove" anything and hence nothing with numerology. It's a source of deep meaning only for the foolish and deranged.

Unsurprising

[caferace]

When I looked at Magento it was a sieve peppered with .50 caliber holes. I passed.

Re: Unsurprising

There's good pay being a magento tech though.

Re: Unsurprising

We push our stores through a full pen test (granted before this exploit) and all padded which surprised us all!
AC because well risk mitigation.

This is Why You Don't Give your CC on the Internet

And especially not to some podunk mom and pop operation with their homespun "e-commerce" platform that their grandson set up for them five years ago.

Re:Robin Williams Paul Walker Bruce Lee assassinat

Damn assburger trumpanzees need to be banned from the internet.