Magento plugs XSS holes that can lead to e-store hijacking, patch immediately!
Last week, Magento released a very important bundle of patches for their eponymous e-commerce platform that should be implemented as soon as possible.
The bundle plugs a number of critical vulnerabilities, including two stored cross-site scripting (XSS) flaws that can be easily exploited by attackers to take over the site’s shop.
Sucuri Security has provided more details about one of these, which has been discovered by their vulnerability researcher Marc-Alexandre Montpas.
The bug can be exploited remotely by simply adding JavaScript code to the email address entered into the customer registration form on the site.
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” Montpas explained. This bug makes it so that Magento does not properly filter the email, and it executes the bad JavaScript code in Admin context when the order is viewed in the backend.
“Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk,” he noted.
This vulnerability affects almost every install of Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3.
The other stored XSS bug – bad filtering of comments to an order that can result in JavaScript code being saved in database and then executed server-side when the administrator tries to view the order – also affects the aforementioned Magento versions, as well as Magento 2 CE & EE prior to 2.0.1.
Both bugs are critical – can be exploited easily and remotely – so admins are advised to update their Magento installation(s) immediately.