If you are using Magento to power your online store, then it might be a very good idea to make sure you are up to date with your patches, because hundreds of thousands of websites are at risk of hijacking attacks. made possible by a just-patched vulnerability in the Magento ecommerce platform. If this seems like a déjà vu, then it is because just last year Magento was attacked by another exploit.
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”
Vulnerability Disclosure Timeline:
Now you might think that Magento rushed to get the vulnerability patched, but according to a timeline released by Sucuri, they informed the company of the risk in November, and a patch wasn't released until just recently, you can see the full timeline below:
- November 10th, 2015 – Bug discovered, initial report to Magento’s security team
- December 1st, 2015 – No response from Magento. Requested confirmation of our previous email.
- December 1st, 2015 – Magento acknowledge receipt of the report.
- January 7th, 2016 – Request an ETA, been 2 months since original report.
- January 11th, 2016 – Magento answers that the patch is ready, but no ETA available.
- January 20th, 2016 – Magento releases patch bundle SUPEE-7405, which fixes the issue
- January 22th, 2016 – Sucuri Public Disclosure of Vulnerability.
What does this mean?
If you still need to install the latest patch, then you should really do it sooner than later, because otherwise you run the risk of exposing yourself to a potentially very dangerous threat. As with any other security patch, there is a reason it was released, so don't play Russian roulette with your business.