vulnerability in Magento e-commerce
Independent security researcher Nethanel Rubin has reported a since-patched vulnerability in eBay's Magento e-commerce platform that could have allowed hackers to compromise retailers. The vulnerability (CVE-2016-4010) is fixed in version 2.0.6 issued overnight. Magento handed the flaw a 9.8 out of 10 severity score explaining …
Magento 2 is touted as being bigger, better, faster and more secure... Than Magento 1.
With features such as:
CVSSv3 Severity: 9.8 Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)
Yeah, remote code execution as a service with full API... better'n WordPress!
CVSSv3 Severity: 9.8 The Magento installation code is no longer accessible once the installation process has completed. Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable. Anyone, anywhere wanna do a reinstall?
Just wait till they've got the site tweaked for best Customer UX, then REBOOT!
Maybe we'll want to wait until Magento 2.1, you know what they say about Microsoft and x.0 versions.
Biting the hand that feeds IT © 1998–2019