Magento Security Holes Patched

Magento Security Holes Patched

Andy Holland

A report yesterday from Vulnerability Lab researcher Hadji Samir says that eBay have been quick off the mark to ensure that the Magento platform remains secure after the discoverer of three potential vulnerabilities.

Magento is used by a huge number of major ecommerce stores across the web and is the ecommerce platform of choice for many agencies.

The issue stems from a problem with the platform which could have left the platform with potential session hijacking issues and potentially open to man in the middle attacks. Samir disclosed the bugs earlier this month in a number of posts detailing how users could find themselves being phished or having session data stolen. There was a potential persistent input validation web vulnerability, a cross-site scripting (XSS) hole, and a cross-site request forgery (CSRF) bug.

Samir said, ‘The vulnerability allows remote attackers to inject own script code to the application-side of the affected service module … successful exploitation of the application-side vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation affected or connected module context.’

The XSS issue meant that remote attackers could possibly inject their own script codes into client-side application requests.

The [CSRF] attacker was located in the ‘create messages’ input of one of the Magento Connect modules. It could intercept the session to delete all existing messages without authorisation, for example.

The security risk for all three vulnerabilities was said to be medium. A patch and fix has been found quickly for all three issues. eBay, who own Magento, pays bug bounty rewards to anyone who finds an issue with the platform and shares it with them, giving them time to fix it before detailing the fix in a patch.

Magento is one of the world’s safest ecommerce platforms with a community dedicated to ensuring its safety and security.