Magento attacks uncanny hacks-men with shopper-popper patch
Flaw was rated 9.8/10 as it allowed complete re-write of online stores
Independent security researcher Nethanel Rubin has reported a since-patched vulnerability in eBay's Magento e-commerce platform that could have allowed hackers to compromise retailers.
The vulnerability (CVE-2016-4010) is fixed in version 2.0.6 issued overnight. Magento handed the flaw a 9.8 out of 10 severity score explaining that the platform installation code is no longer accessible once the installation process is complete.
"Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable, and many administrators would not change the permissions on this directory after installation, " the company says.
Rubin (@na7irub), an Israeli researcher who has previously, found holes in the platform and many others, says attackers can execute arbitrary PHP code in unpatched systems.
"The vulnerability allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated," Rubin says.
"This vulnerability works on both the Community Edition and Enterprise Edition of the system.
"I recommend all Magento administrators to update their installations to the 2.0.6 patch."
The chained attack combines smaller vulnerabilities which Rubin has detailed in full, and relies on REST or SOAP being left enabled from default which is the case in most installations.
Much of the fault lies with the sizeable and dynamic API for each Magento module that customers use to run things like shopping carts.
Rubin praised Magento for its code overhaul which has seen vast re-writing, code improvements, and a bolstering of security. It was a "huge step forward" but also something of a teething pain for Magento developers and vulnerability researchers. ®