Magento Releases Patch For Framework And Payment Gateway Vulnerabilities

Magento Releases Patch For Framework And Payment Gateway Vulnerabilities

Magento developers, it’s time to take note! There is now a patch release for Magento’s framework and payment gateway vulnerabilities.

This all-important security announcement can help ensure the safety of eCommerce stores across the globe. It is essential that you keep up with these vital updates in order to secure your store and protect customer data from malicious cyber attacks.

In this blog, we will cover what the new patch contains and why it is so important that Magento development services implement this update as soon as possible.

Read on to find out more information on how you can enhance protection for your online business through this newly released Magento Security Patch.

Over 100 Magento websites were recently infected by a highly malicious malware – MageCart.

On October 11th, Magento released a patch , SUPEE-8788, to address critical vulnerabilities in the Zend framework and payment gateways.

The patch comprises a bundle of fixes for over fifteen issues, some more critical than the rest. Here are a few examples:

1. Remote Code Execution During Checkout:

This issue has been given the tag APPSEC-1484 by Magento. This is by far the most critical of all the vulnerabilities. This hole gives hackers the space to inject malicious PHP software at the point of checkout (with certain payment methods). For obvious reasons, this is a dangerous issue: If there is malware in the payment gateways, hackers can get access to your entire Magento site.

2. SQL Injection Bug In Zend Framework:

Zend is an open-source, object-oriented PHP framework. The SQL bug, given the tag APPSEC-1480, is less critical than the Remote Code issue but a red flag, nonetheless. A bug was discovered in the essential ordering parameters. This helps users inject SQL through the grids. However, there are no known frontend points of vulnerability except in Magento’s own admin panel.

3. Login As Another Customer:

This one is self-explanatory. In certain configurations, there is a vulnerability (tagged APPSEC-1517) that allows users to sign into your Magento website as an existing customer, requiring just an email ID without the password. While this does not open possibilities of a site-wide takeover or injection of malicious code, it breaches user privacy and safety. This, in turn, presents trust and branding-related issues that will affect your bottom line.

4. Session Does Not Expire After Logout:

This is another safety issue that will impact the user more than your website itself. Sometimes – especially when users are accessing your site on a shared computer – sessions do not expire even after the user has logged out. This opens the possibility of another user stealing session cookies to access the account. This vulnerability has been tagged APPSEC-1478.

There are over ten other issues that have been reported and fixed, in the bundle.

Important note:

All the issues mentioned here, as well as on Magento’s website, affect Magento Community Edition (CE) versions before 1.9.3 and Enterprise Editions (EE) before 1.14.3. They have, however, been fixed in CE 1.9.3 and EE 1.14.3.

SUPEE-8788 can be installed on any Magento 1.X version, using the shell script that is provided by Magento. With that said, it is advisable for you to migrate to Magento 1.9.3 and later. For one, the bugs are ironed out in this and later versions. Another point to note is that when you are stuck with an older version of Magento, you are also stuck with older versions of PHP, MySQL and others, compromising your entire business in many ways.

Need help installing the SUPEE-8788 patch or looking to migrate altogether?