Magento Releases Patch For Framework And Payment Gateway Vulnerabilities
Over 100 Magento websites were recently infected by a highly malicious malware – MageCart.
On October 11th, Magento released a patch , SUPEE-8788, to address critical vulnerabilities in the Zend framework and payment gateways.
The patch comprises a bundle of fixes for over fifteen issues, some more critical than the rest. Here are a few examples:
1. Remote Code Execution During Checkout:
This issue has been given the tag APPSEC-1484 by Magento. This is by far the most critical of all the vulnerabilities. This hole gives hackers the space to inject malicious PHP software at the point of checkout (with certain payment methods). For obvious reasons, this is a dangerous issue: If there is malware in the payment gateways, hackers can get access to your entire Magento site.
2. SQL Injection Bug In Zend Framework:
Zend is an open-source, object-oriented PHP framework. The SQL bug, given the tag APPSEC-1480, is less critical than the Remote Code issue but a red flag, nonetheless. A bug was discovered in the essential ordering parameters. This helps users inject SQL through the grids. However, there are no known frontend points of vulnerability except in Magento’s own admin panel.
3. Login As Another Customer:
This one is self-explanatory. In certain configurations, there is a vulnerability (tagged APPSEC-1517) that allows users to sign into your Magento website as an existing customer, requiring just an email ID without the password. While this does not open possibilities of a site-wide takeover or injection of malicious code, it breaches user privacy and safety. This, in turn, presents trust and branding-related issues that will affect your bottom line.
4. Session Does Not Expire After Logout:
This is another safety issue that will impact the user more than your website itself. Sometimes – especially when users are accessing your site on a shared computer – sessions do not expire even after the user has logged out. This opens the possibility of another user stealing session cookies to access the account. This vulnerability has been tagged APPSEC-1478.
There are over ten other issues that have been reported and fixed, in the bundle.
All the issues mentioned here, as well as on Magento’s website, affect Magento Community Edition (CE) versions before 1.9.3 and Enterprise Editions (EE) before 1.14.3. They have, however, been fixed in CE 1.9.3 and EE 1.14.3.
SUPEE-8788 can be installed on any Magento 1.X version, using the shell script that is provided by Magento. With that said, it is advisable for you to migrate to Magento 1.9.3 and later. For one, the bugs are ironed out in this and later versions. Another point to note is that when you are stuck with an older version of Magento, you are also stuck with older versions of PHP, MySQL and others, compromising your entire business in many ways.
Need help installing the SUPEE-8788 patch or looking to migrate altogether?