Welcome to WebmasterWorld Guest from 54.162.151.77

Forum Moderators: buckworks

Message Too Old, No Replies

Critial XSS flaws in Magento leave millions of ecommerce sites at risk

     
9:21 pm on Jan 25, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15149
votes: 170


If you run a Magento website, you should update it now.
Critial XSS flaws in Magento leave millions of ecommerce sites at risk [nakedsecurity.sophos.com]
For as long as there have been websites, the vast majority of vulnerabilities have come about because of a failure to handle incoming data properly and the list of Magento vulnerabilities is no exception.

The most serious though are the Critical XSS vulnerabilities.

Each of them could be used to take over vulnerable ecommerce sites, putting the stores’ users and their credit card data at risk, as well representing a serious threat to the business behind the store.

All an attacker’s software needs to do is register for a vulnerable store using a spiked email address (or a spiked username if it’s running version 2).
9:20 pm on Jan 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9902
votes: 970


Another take:

A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update.

Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for automated attack.

The holes can be used to effectively take over a Magento store, putting both user data and credit card data at risk.

[theregister.co.uk...]

One of my clients called late night in a panic "get me off this thing now!" I grumbled and mumbled and said "shut up I'll patch it" and did. The patches are available, so do it.

(never liked magneto, but that's a personal thing, it does what it is supposed to do)