займ на картукредит онлайн

Magento Security Posts

MAGENTO SECURITY PATCH SUPEE-11086 RELEASED

SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.

List of High CVSSv3 Severity Issues Addressed by this Security Patch

    • SQL Injection vulnerability through an unauthenticated user:
      An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
    • Remote code execution via server side request forgery:
      An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration.
    • Arbitrary code execution due to unsafe handling of a malicious product attribute configuration
      An authenticated user with privileges to configure products can execute arbitrary PHP code.
    • Arbitrary code execution due to unsafe deserialization of a PHP archive
      An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
    • Arbitrary code execution due to unsafe handling of a malicious layout update
      An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code.
    • Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes
      An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server.
    • Remote code execution through arbitrary XML data sent through a layout table:
      An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table.
    • Arbitrary code execution through bypass of PHP file upload restriction:
      An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code.
    • Arbitary code execution due to bypass of layout validator:
      An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin.

&nbps;

Consult our certified Magento developers, if you want to implment this security patch or have any questions regarding the Magento security SUPEE-11086 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10975 RELEASED

SUPEE-10975, Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-10975 or upgrade to Magento Commerce 1.14.4.0.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-10975 or upgrade to Magento Open Source 1.9.4.0.

 
There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:

Issue Type: Brute Force Login / Session Identifier

CVSSv3 Severity

Security Bug

Description

9.0

Stops Brute Force Requests via basic RSS authentication

Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password.

 

Issue Type: Compliance Requirement

9.0

M1 Credit Card Storage Capability

Removes functionality enabling M1 customers to store credit card data in the database.

 

Issue Type: Remote Code Execution (RCE)

8.5

Authenticated RCE using customer import

Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute.

8.5

API Based RCE Vulnerability

By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE

8.5

RCE Via Unauthorized Upload

Prevents a user from uploading unauthorized files while attaching videos

8.5

Authenticated RCE using dataflow

Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10975 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10888 RELEASED

SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.
  • Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.

 
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: XML injection

CVSSv3 Severity

Security Bug

Description

6.9

Authenticated Unauthorised Data Access Via Layout Injection

An administrator with limited permissions might be able to obtain information outside of his permissions.

 

Issue Type: General: Cross Site Scripting (reflective)

6.1

Reflective XSS against Admin Panel

Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.

6.1

Admin to Admin XSS in configurable custom attribute label

Administrator with limited permissions might be able to use XSS attack on another administrator.

 

Issue Type: Privilege Escalation & Enumeration: Information Exposure

5.9

Overwrite all Reviews

In specific configurations, it might be possible to overwrite reviews.

N/A

Reset password URL includes the customer ID

The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10752 RELEASED

SUPEE-10752, Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.

NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
  • Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

 
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

CVSSv3 Severity

Security Bug

Description

9.8 (Critical)

Authenticated Remote Code Execution (RCE) using custom layout XML

Admin users with permission to manage products can use custom layout XML to copy any file to any location.

9.8 (Critical)

Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)

Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized.

8.9 (High)

PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)

An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

8.9 (High)

PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)

An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

 

Issue Type: SQL Injection (SQLi)

8.2 (High)

Authenticated SQL Injection when saving a category

Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.

8.2(High)

Admin to Admin XSS in configurable custom attribute label

By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands.

 

Issue Type: Cross Site Request Forgery (CSRF)

7.4 (High)

CSRF is possible against Web sites, Stores, and Store Views

Multiple CSRF vulnerabilities allow for deleting websites, stores or store views.

 

Issue Type: Security Implementation Flaw

7.4 (High)

The cron.php file can leak database credentials

The cron.php file can leak database credentials if it is not able to establish a connection to the database.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.