- 15th September 2017
- by David
Magento critical update in 220.127.116.11 (Enterprise Edition EE) and 18.104.22.168 (Community Edition CE) – Contact OMS immediately for help
Magento, the popular ecommerce platform, has just announced on September 14th 2017 that clients must download a new security update urgently. This security update has been produced in order to address customer account vulnerabilities.
Clients using Magento should contact OMS immediately on 01543 899 617 to ensure that their systems and their customer information remains safe.
To check the magento version for CE or EE you must log into the admin area and scroll to the bottom of the page where it should say something along the lines of Magento Version 1.9.x
Your Magento logins could be exposed
The announcement from Magento states that the security update will put in place multiple security enchantments, to protect clients from ‘cross-site request forgery’ and ‘authenticated admin user remote code execution vulnerabilities’.
The Magento security update is for the communications and enterprise editions of its software, which provides online merchants with flexible shopping cart systems, online stores and catalog management tools.
The specific Magento platforms that are at risk are:
- Magento Commerce prior to 22.214.171.124
- Magento Open Source prior to 126.96.36.199
- Magento 2.0 prior to 2.0.16
- Magento 2.1 prior to 2.1.9
Although Magento is not aware of an attack, it has discovered that a Magento administrator with limited privileges would be able to add ‘malicious code’, when creating new CMS pages. This malicious code may result in arbitrary remote code execution.
High-level Magento vulnerabilities
Further high-level vulnerabilities that are addressed in the latest Magento security patch are described below:
- Magento admins with restricted privileges could enter content, which references and exposes Magento installation info that is sensitive and hence may be used to leverage exploitation
- Attackers may use low privilege RSS session cookies and increase their privileges in order to get access to Magento Admin Portals
The vital update also tackles threats that Magento has deemed to be of medium risk. These risks includes the possibility for admins, again with limited privileges, to force Magento store notifications and these could include internal system files. Admins can additionally exploit vulnerabilities in the customer group to create URLs that may be used as part of a CSRF attack.
Other vulnerabilities have been identified in the areas of newsletter templates, RSS feeds, auto-complete fields, session cookies, non-Apache installations such as Nginx and sales order records, where XSS attacks can be made on anyone that views the page. Furthermore attacks can be crafted where during checkout, URL requests can retrieve info about past orders.
The security update will need to be implemented and tested in the development environment first. This should be completed before the update is deployed on a production site.
We appreciate the complexities of such updates, so please contact us for help and advice.