A recent Magento vulnerability known as Magento Shoplift, first reported to Magento in late January, allows attackers to obtain control over a store and its data using RCE (Remote Code Execution).
Shoplift affects both Magento Enterprise Edition and Magento Community Edition. A security patch (SUPEE-5344) was released in February. If you’re unsure as to whether your shop is still vulnerable, there is a test available on the Magento website:
Other steps that can be taken: checking the Magento installation for unknown files or recently created files, and check server access log files for requests coming from unknown IP addresses.
‘The threat was a serious flaw and needed immediate attention, emphasising the importance of developers keeping up-to-date and proactive’
RCE can be used to remotely run programs on a sever, and in this instance, to exploit the code within Magento itself. Magento alerted developers in February, and a patch was made available on the 9th. All Magento websites administered by The Pixel were patched within a few hours of release. This included all development sites and internal copies of Magento. The threat was a serious flaw and needed immediate attention, emphasising the importance of developers keeping up-to-date and proactive in regards to status and version updates.
Check Point Software Technologies released this video on 22 April to demonstrate how RCE can be used to exploit an ecommerce website:
Other security exploits that require patches can be found on the Magento website, including October’s SUPEE-1533 patch:
Users of Magento Enterprise will usually need to contact Magento directly to obtain security patches. If you’d like any further help please feel free to email us at [email protected].