'Massive vulnerability' uncovered in eBay Magento ecommerce system

By

Site owners urged to patch against full-compromise "Shoplift" bug.

The open source Magento ecommerce platform owned by online retail giant eBay and driving hundreds of thousands of other merchant sites bears a serious vulnerability that could give attackers full control of stores.

'Massive vulnerability' uncovered in eBay Magento ecommerce system

Security vendor Check Point discovered the flaw and disclosed it privately to eBay earlier this year.

Check Point said the remote code execution vulnerability means any Magento-based store can be taken over by attackers. 

All customer data including credit card details can be captured, as the vulnerability provides full access to Magento users' complete databases, Check Point said.

The compound vulnerability means unauthenticated attackers can chain several security flaws to execute PHP code on webservers. It affects both the Community and Enterprise editions of Magento.

While a patch - SUPEE-5344 - was released in February, Check Point believes hundreds of thousands of Magento stores remain vulnerable to full compromise.

However, Check Point researcher Netanel Rubin, who is credited with having discovered the vulnerability, added that the company is not aware of any current exploitation of the security flaw.

Full technical disclosure of the flaw will be released by Check Point in the coming days, with the possibility of a working proof of concept that can be used to compromise sites. Administrators of Magento sites are advised to patch against the flaw as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
check pointebayecommercemagentoremote code executionsecurity

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?