Magento e-stores unpatched against serious flaws

More than half of Magento e-commerce stores worldwide remain vulnerable to one or more serious flaws that could lead to full takeover of the installations, a survey by Dutch hosting service Byte.nl shows.

Byte.nl principal Willem de Groot tested all 216,394 known Magento installations globally this month, and discovered that over four-fifths of the Community editions were vulnerable to the SUPEE 6482 bug that allows attackers to hijack customer sessions.

While Enterprise edition Magento customers have mostly patched against the serious Shoplift flaw discovered earlier this year, 46 percent of Community edition users are still vulnerable to have their e-commerce sites fully taken over by attackers.

Only 8 percent of Enterprise Edition customers are vulnerable to Shoplift, but de Groot's testing showed that 59 percent have not patched against the serious SUPEE 6482 bug.

"May shops got hacked; customer data was stolen, and payments were diverted," thanks to the recent vulnerabilities in Magento, de Groot said.

De Groot blamed cumbersome patching processes for Magento users not updating their installation and risking serious financial losses.

Patching Magento stores is done via the command line, requiring terminal access, but de Groot noted this was not possible in many cases.

"Many people run Windows (no terminal), have a hosting account without terminal access or lack the terminal voodoo to download and execute the patches," he wrote.

Applying the patch is also complex, requiring users to restart or clear parts of their application stacks, the opcode cache in the PHP scripting engine and block caches. If those steps are not taken, it appears as if the patch has been applied, but it won't in fact protect the Magento installation.

Actually obtaining the patches and installing them for each shop is an awkward process, de Groot said.

Users have to establish which identifiers match the patches they need, create a Magento account and log into it, download the files to where their installations are located and then manually apply the updates via the command line.

"And then you have to test if everything works as before. Chances are, especially if you maintain multiple shops, that you forget one or more patches/shops," he said.

De Groot called on Magento to simplify the updating procedures and provide clearer descriptions of the patches.

Ideally, Magento should develop an auto-update feature for users' e-commerce installations, de Groot said.

iTnews has contacted Magento for comment.

Update:

Ted Pietrzak, head of Magento product development at eBay, told iTnews the e-commerce vendor wants to empower retailers, brands and branded manufactures to maintain the kind of fine-grained control they expect from the software, even when it comes to their security implementations.

"Patch updating is a nuanced process, particularly with the high-level of customization that merchants implement in order to create uniquely branded customer experiences with Magento. While the unique flexibility of our platform prohibits us from enabling auto-patching, we always work to inform affected merchants and equip them to apply patches as quickly as possible,” Pietrzak said.

"We are working to further simplify the download process for all versions by making patches more easily available for automated downloads," he said.