Hundreds of thousands of websites, many that sell good or services, are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.
The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.
"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend," a Sucuri advisory explained. "Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."
XSS bugs are among the most widely exploited website vulnerability. They're the result of Web applications that fail to strip executable code out of user-supplied input entered into websites. Anyone who relies on Magento should install an update as soon as possible. In cases where patching isn't immediately possible, administrators should make use of a Web application firewall provided by Sucuri or one of its competitors. Magento has its own advisory here.
Post updated on Thursday, Jan 29, to correct the number of sites affected.
reader comments
31