Magento is an e-commerce platform written in PHP. It provides online traders with a flexible shopping cart system, as well as control over the appearance, content and functionality of their online store. It also offers a strong marketing, search engine optimization, and catalog-management tools.
A security researcher from DefenseCode has released proof-of-concept (PoCs) code for 2 CSRF (Cross-Site Request Forgery) and stored XSS (Cross-site scripting) flaws affecting a number of versions of Magento.
The exploitation of these vulnerabilities could lead to administrator account takeover and finally lead to user payment data theft.
According to defensecode:
“There is a Cross-Site Request Forgery vulnerability present in Customer Groups when a POST request is changed to GET on saving changes to existing groups (/customer/group/save/).
When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”
“There is a Cross-Site Request Forgery vulnerability present in Newsletter Templates when a POST request is changed to GET on saving changes on existing or adding new templates (/newsletter/template/save/). When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”
The flaws affect:
– Magento CE 1 prior to 22.214.171.124
– Magento Commerce prior to 126.96.36.199
– Magento 2.0 prior to 2.0.16
– Magento 2.1. prior to 2.1.9
If you are running one of the 200,000+ Magento stores and you haven’t yet updated your version, now it’s the time to do it.
Latest posts by Eslam Medhat (see all)
- 600 powerful bitcoin-mining machines have been stolen in Iceland - March 5, 2018
- Lenovo has released patches to fix critical Wi-Fi vulnerabilities - February 13, 2018
- BitGrail cryptocurrency exchange has been hacked – More than $160 million stolen in Nano - February 13, 2018