Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. "Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication," writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri "have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing," says Constantin. "The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites," the researchers warn in a blog post. "Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated -- making it easy for hackers to mount successful, widespread attacks against vulnerable websites," the Sucuri researchers warned. "The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous." Since the researchers were able to create a working proof-of-concept exploit, it's only a matter of time until hackers discover a way to use the exploit to plant payment card skimmers on sites that have yet to install the new patch.

UPDATE: Onilab, an official Magento development partner, has a blog post explaining how you can update your store to the latest version of Magento.

Are the retard editors even trying?

Same page
https://m.slashdot.org/story/353912

Re: Are the retard editors even trying?

Apparently the SQL injection was used exploited to post a dupe on slashdot.

Re: Are the retard editors even trying?

Make apk an editor imo

Re: Are the retard editors even trying?

This is 2019. We don't say the "R" word anymore.

Re: Are the retard editors even trying?

Shut up faggot.

Re: Are the retard editors even trying?

But I am wetarded you insensitive clod!

Re: Are the retard editors even trying?

U mizspewd cwad, wetawd.

Must be what Slashdot uses

[Burdell]

Explains the dupes - injection attacks!

Re:Must be what Slashdot uses

Explains the dupes - injection attacks!

https://magewares.com/blog/protect-magento-site-sql-injection-flaw/

Warming up for April Fools'

[Powercntrl]

Yep, the cat's out of the bag. On April 1st, it will be ALL DUPES, ALL DAY!

Pff... yeah right!

[Gravis+Zero]

Come on, they've been screaming about this vulnerability on Slashdot for literally hundreds of minutes. If they haven't exploited it by now then what are the chances they are going to all of the sudden change their minds and start exploiting it in the future? ;)

Re:Pff... yeah right!

they've been screaming about this vulnerability on Slashdot for literally hundreds of minutes. If they haven't exploited it by now then what are the chances they are going to all of the sudden change their minds and start exploiting it in the future?

Hmm, maybe you hadn't noticed but computer crimes are punished very harshly here in the United States. Remember Aaron Swartz? He was charged with two counts of wire fraud and eleven violations of the Computer Fraud and Abuse Act, carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution, and supervised release. Imagine what they would dish out for actually deleting data or otherwise damaging a computer that was not yours. Does that answer your question?

My Clone Army

[MikeDataLink]

has arrived... here on slashdot.

But wait...

I thought Magneto was supposed to be one of the bad guys, leading his antisocial mutants against Wheelchair-Captain-Picard and his pro-non-mutant, mutant-allies!