Magento is one of the best and widely used ecommerce platforms and according to a survey, businesses using Magento had more than £520b worth transaction in the year 2014. In the past few months, Magento experienced hundreds of hacking attempts and some of the web stores were compromised. Considering the severity of this issue Magento released it’s May patched for Magento EE and Magento CE version which helped retailers to secure their store and save the confidential information leakage.
Yesterday Magento released another security patch to address this issue. Magento suggests that although there are no confirmed reports of attacks related to these issues to-date, but it is important that you immediately deploy the patch in order to protect your store.
This patch addresses the following security issues:
- It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.
- It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.
Magento has created patches for both Magento Enterprise and Magento Community Editions. For Magento Enterprise Edition, a patch is available for Enterprise Edition 1.9 and later releases. For Magento Community Edition, a patch is available for Community Edition 1.4.1 to 188.8.131.52 and is part of the core code of their latest release, Community Edition 1.9.2, which is now available for download.
Do you own a Magento store and looking for someone to help you secure your store and apply the patch? Please Get in touch now