back to article Magento attacks uncanny hacks-men with shopper-popper patch

Independent security researcher Nethanel Rubin has reported a since-patched vulnerability in eBay's Magento e-commerce platform that could have allowed hackers to compromise retailers. The vulnerability (CVE-2016-4010) is fixed in version 2.0.6 issued overnight. Magento handed the flaw a 9.8 out of 10 severity score explaining …

  1. Mage Silver badge

    vulnerability in Magento e-commerce


    Oh dear.

  2. Anonymous Coward
    Anonymous Coward

    Object injection exploit attack ..

    I understood Object Oriented Programming was going to eliminate such coding flaws. As in a particular class was designed to do the one thing and not do everything else. Without a security professional having to go through the source code, line by line.

  3. Anonymous Coward
    Anonymous Coward

    Just remember...

    Magento 2 is touted as being bigger, better, faster and more secure... Than Magento 1.

    With features such as:

    CVSSv3 Severity: 9.8 Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)

    Yeah, remote code execution as a service with full API... better'n WordPress!

    CVSSv3 Severity: 9.8 The Magento installation code is no longer accessible once the installation process has completed. Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable. Anyone, anywhere wanna do a reinstall?

    Just wait till they've got the site tweaked for best Customer UX, then REBOOT!

    Maybe we'll want to wait until Magento 2.1, you know what they say about Microsoft and x.0 versions.

  4. cduance

    Isnt the fix

    to just change the permissions back to make that directory non-writable?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019