'Massive vulnerability' uncovered in eBay Magento ecommerce system

By
Follow google news

Site owners urged to patch against full-compromise "Shoplift" bug.

The open source Magento ecommerce platform owned by online retail giant eBay and driving hundreds of thousands of other merchant sites bears a serious vulnerability that could give attackers full control of stores.

'Massive vulnerability' uncovered in eBay Magento ecommerce system

Security vendor Check Point discovered the flaw and disclosed it privately to eBay earlier this year.

Check Point said the remote code execution vulnerability means any Magento-based store can be taken over by attackers. 

All customer data including credit card details can be captured, as the vulnerability provides full access to Magento users' complete databases, Check Point said.

The compound vulnerability means unauthenticated attackers can chain several security flaws to execute PHP code on webservers. It affects both the Community and Enterprise editions of Magento.

While a patch - SUPEE-5344 - was released in February, Check Point believes hundreds of thousands of Magento stores remain vulnerable to full compromise.

However, Check Point researcher Netanel Rubin, who is credited with having discovered the vulnerability, added that the company is not aware of any current exploitation of the security flaw.

Full technical disclosure of the flaw will be released by Check Point in the coming days, with the possibility of a working proof of concept that can be used to compromise sites. Administrators of Magento sites are advised to patch against the flaw as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

National photo licence recognition system set to go live in 2025

National photo licence recognition system set to go live in 2025

Age verification IDs taken in Discord data breach

Age verification IDs taken in Discord data breach

Qantas says customer data released by cyber criminals

Qantas says customer data released by cyber criminals

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

Log In

  |  Forgot your password?