'Massive vulnerability' uncovered in eBay Magento ecommerce system

By

Site owners urged to patch against full-compromise "Shoplift" bug.

The open source Magento ecommerce platform owned by online retail giant eBay and driving hundreds of thousands of other merchant sites bears a serious vulnerability that could give attackers full control of stores.

'Massive vulnerability' uncovered in eBay Magento ecommerce system

Security vendor Check Point discovered the flaw and disclosed it privately to eBay earlier this year.

Check Point said the remote code execution vulnerability means any Magento-based store can be taken over by attackers. 

All customer data including credit card details can be captured, as the vulnerability provides full access to Magento users' complete databases, Check Point said.

The compound vulnerability means unauthenticated attackers can chain several security flaws to execute PHP code on webservers. It affects both the Community and Enterprise editions of Magento.

While a patch - SUPEE-5344 - was released in February, Check Point believes hundreds of thousands of Magento stores remain vulnerable to full compromise.

However, Check Point researcher Netanel Rubin, who is credited with having discovered the vulnerability, added that the company is not aware of any current exploitation of the security flaw.

Full technical disclosure of the flaw will be released by Check Point in the coming days, with the possibility of a working proof of concept that can be used to compromise sites. Administrators of Magento sites are advised to patch against the flaw as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
check pointebayecommercemagentoremote code executionsecurity

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?