Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable (threatpost.com)

Posted by EditorDavid on from the vulnerabilities-from-Vimeo dept.

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.

10 of 29 comments (clear)

  1. First Patch! by Anonymous Coward · · Score: 1

    Patching first since 1997!

    1. Re: First Patch! by alexandre · · Score: 1

      Is that you?

  2. Re:What the fuck by mars-nl · · Score: 2

    You're trolling, but ok... RTFS:

    ...the commercial version of the platform, but warns both share the same underlying vulnerable code...

    So even if you pay, you have the same problem.

  3. Okay, who else? by Chris+Mattern · · Score: 1, Insightful

    Who else misread that as "Unpatched Magneto Zero Day"?

    1. Re:Okay, who else? by Ramley · · Score: 1

      Yep *sigh* :-/

    2. Re:Okay, who else? by SeaFox · · Score: 1

      Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did.

    3. Re:Okay, who else? by nospam007 · · Score: 1

      "Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did."

      Just Google 'Dyslexia' if you want to know the reason.

  4. Still a zero-day? by FrankHaynes · · Score: 1, Interesting

    Is it still a zero-day exploit if it's the next day??

    I mean, the linked article on ThreatPost is dated April 13 which was 2 days ago so doesn't that make this at least a 2-day exploit by now?

    --
    slashdot: A failed experiment.
  5. Unsurprising by caferace · · Score: 1

    When I looked at Magento it was a sieve peppered with .50 caliber holes. I passed.

  6. Re:Default configuration not vulnerable by campuscodi · · Score: 1

    Bingo. Overhyped media article. It was obviously written by a guy that never installed Magento in his life.