Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable (threatpost.com) 29
An anonymous reader quotes ThreatPost:
A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.
First Patch! (Score:1)
Patching first since 1997!
Re: First Patch! (Score:2)
Is that you?
Re: (Score:3)
You're trolling, but ok... RTFS:
...the commercial version of the platform, but warns both share the same underlying vulnerable code...
So even if you pay, you have the same problem.
Re: (Score:2)
Okay, who else? (Score:2, Insightful)
Who else misread that as "Unpatched Magneto [wikipedia.org] Zero Day"?
Re: (Score:2)
Re: (Score:2)
Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did.
Re: (Score:2)
"Yeah, I thought the exploit was named Magneto, and was looking for some X-Men reference in what it did."
Just Google 'Dyslexia' if you want to know the reason.
Still a zero-day? (Score:2, Interesting)
Is it still a zero-day exploit if it's the next day??
I mean, the linked article on ThreatPost is dated April 13 which was 2 days ago so doesn't that make this at least a 2-day exploit by now?
Re: (Score:1)
I would say Slashdot operates on pothead time, but that would only be an offset of a couple hours.
Unsurprising (Score:2)
When I looked at Magento it was a sieve peppered with .50 caliber holes. I passed.