'Massive vulnerability' uncovered in eBay Magento ecommerce system

By

Site owners urged to patch against full-compromise "Shoplift" bug.

The open source Magento ecommerce platform owned by online retail giant eBay and driving hundreds of thousands of other merchant sites bears a serious vulnerability that could give attackers full control of stores.

'Massive vulnerability' uncovered in eBay Magento ecommerce system

Security vendor Check Point discovered the flaw and disclosed it privately to eBay earlier this year.

Check Point said the remote code execution vulnerability means any Magento-based store can be taken over by attackers. 

All customer data including credit card details can be captured, as the vulnerability provides full access to Magento users' complete databases, Check Point said.

The compound vulnerability means unauthenticated attackers can chain several security flaws to execute PHP code on webservers. It affects both the Community and Enterprise editions of Magento.

While a patch - SUPEE-5344 - was released in February, Check Point believes hundreds of thousands of Magento stores remain vulnerable to full compromise.

However, Check Point researcher Netanel Rubin, who is credited with having discovered the vulnerability, added that the company is not aware of any current exploitation of the security flaw.

Full technical disclosure of the flaw will be released by Check Point in the coming days, with the possibility of a working proof of concept that can be used to compromise sites. Administrators of Magento sites are advised to patch against the flaw as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?