back to article If you're one of millions using Magento – stop whatever you're doing and patch now

A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update. Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for …

  1. TeeCee Gold badge
    Alert

    ohshit.

    .....if you are running a Magento platform..........You can expect your site to be tested within the next day.

    Cue torrent of "we haz pwnd u & ur credit" stories from multiple site breaches. Chances of all those millions of sites being patched immediately? Bugger all......

    1. Stuart 22 Silver badge

      Re: ohshit.

      Will Magento be the only CMS with this vulnerability? If not I give it 48 hours before someone knows and probes. I guess we won't till a patch is in place.

      Fingers crossed.

  2. G2
    Facepalm

    seen this before

    https://xkcd.com/327/

    XKCD.... happens literally (email address = name).

    1. gollux

      Re: seen this before

      Magento does the reverse. Store anything, sanitize the output for proper application.

      With proper use of parameterized queries, the XKCD joke never works, no input sanitization needed.

      I'm kind of a belt and suspenders type guy and like the idea of taking junk out both coming and going, however; I've had it proved several times as to how input santization can totally fail.

      I think security has to do with that defense in depth thing.

  3. adnim

    Magento does not properly validate this email

    WTF?

    1. gollux

      Re: Magento does not properly validate this email

      The validation happens clientside in Javascript. You can't get the exploit samples to pass unless you shut it off.

      1. myhandler

        Re: Magento does not properly validate this email

        >The validation happens clientside in Javascript.

        > You can't get the exploit samples to pass unless you shut it off.

        If you think that's ok Gollux, then you you clearly have a lot to learn

      2. PassiveSmoking

        Re: Magento does not properly validate this email

        Javascript validation huh? I think I know how such a secure system can be bypassed.

        > curl --data 'email=%3Cscript%3Ealert+%28%22owned%2C+beeyotch%21%22%29%3C%2Fscript%3Eme%40email.com' -X POST http://my.magento.installation.com/register.php

        If your validation is client side only then you have no validation. It's rule freaking one of developing an app. Be like Fox Mulder when it comes to user supplied input and trust no-one.

        A newbie developer can be forgiven for making a mistake like that (after they've had it beaten into them not to do it again of course). A "professional" outfit like Magento should know better.

        1. gollux

          Re: Magento does not properly validate this email

          Myhandler, No, I don't think that's ok, and Passive Smoking's post illustrates exactly the reason why.

          Now step back to SUPEE-5344 where a similar trick could be used to directly inject Admin accounts into the Admin user database with full administrative access. The patch was released in February but not really announced besides just having a download link on their website. They got in a dead panic about announcing the need to patch somewhere in April because the people who found it decided to publish. Man that was a three ring circus...

  4. Lysenko

    I'd like to point out...

    ...that this has nothing (NOTHING) to do with using shoddily weakly typed languages like Pointy Haired Programming and would have been inevitable even if the whole thing were written in something with a type safety and didn't allow EXECing of strings.

    Glad that's out of the way.

    1. gollux

      Re: I'd like to point out...

      You making fun of Broken Perl? I have some broken Pointers I can pass your way.

      1. Adam 52 Silver badge

        Re: I'd like to point out...

        Much, much harder to create a dodgy pointer client side than dodgy input.

        ...and like everyone else - executing user input, really? Even after validation how brain dead an idea is that.

  5. WibbleMe

    I have a real heartblead for those people

  6. wolfetone Silver badge

    You Know What Really Grinds My Gears?

    The fact Magento hasn't baked an update system in to the CMS. I'm in a new role at a company that runs three Magento shops, two of them are a version behind the most recent 1.x installation. I have to put all of them in maintenance mode, then run a shell script on each of them to do the update.

    Why, in 2016, can there not be a better way of doing this? There will be retailers across the world who have no idea what's going on, and they won't know about this update. They'll dismiss the popup and think "Well the site still works so it must be OK". The computer guys who set the site up won't inform them, and if they do they'll demand a large sum of money to do the work - which again will probably result in a "No it's OK it's fine" from the retailer.

    Still, it's early AM here in the UK, I'm sure the script kiddies are in bed asleep.

    I hope.

    1. Lysenko

      I'm sure the script kiddies are in bed asleep.

      China is GMT+8. Think again.

      1. wolfetone Silver badge

        Re: I'm sure the script kiddies are in bed asleep.

        "China is GMT+8. Think again."

        Ah yes, the Chinese. A great bunch of lads.

    2. Ashley Flynn

      Re: You Know What Really Grinds My Gears?

      I agree, the update system (of lack of one) is shockingly poor, made worse by the "add-ons system" which 9/10 just involves copy-pasting over core files (now often meaning patches can't be applied).

      Not good enough from a platform which has had several massive security holes in the last couple of years

    3. Tim Worstal

      Re: You Know What Really Grinds My Gears?

      Care to drop me a line about this? I think the email attached to my pieces here still works. If not, timworstallAT"taxdodger"gmail.com does.

      I'm looking around for an entry level service that we might offer (me and my team of Czechs) and this is the second Magento problem I've seen in a couple of months.

      "We patch your Magento system for $20" might be something we could usefully do. Or some other similar sort of price. Would love to get some guidance from those who know whether that's something that might fly.

      1. Anonymous Coward
        Anonymous Coward

        Re: You Know What Really Grinds My Gears?

        I'd be seriously careful about this, we've had to do patches across multiple client websites and some of the recent ones caused compatibility problems with modules which had been installed, meaning we then had to go ahead and patch all the modules too. Not saying it's not a possible business opportunity, but make sure you know what's installed before giving any estimates

        1. wolfetone Silver badge

          Re: You Know What Really Grinds My Gears?

          I have to reiterate the AC's comment.

          I've applied the patch to two out of the three stores. So far so good. But the third one is just sprawling with issues at the moment, mostly down to the lack of updates going before it.

          The problem you will have is that giving a fixed price to do an upgrade like this would be opening yourself up to a whole host of issues. Compatibility of modules, compatibility with custom code hidden in the bowels of the installation, and just the unknown of how the store was maintained - if at all - in the first place. Case in point being my third store, it hasn't been updated like the others, and I've no documentation for any work done on the three shops. Period.

          1. Anonymous Coward
            Anonymous Coward

            Re: You Know What Really Grinds My Gears?

            Even beyond that, the more complicated the site is the more likely people would be tempted to go the fixed cost route, just because of the expense your average agency would quote. It's possible to build a company around doing simple jobs for Magento, but this is probably the worst area to look into

            1. Tim Worstal

              Re: You Know What Really Grinds My Gears?

              I'm thinking of it more as a way to advertise an agency that does magento. But everyone's warnings much appreciated: and once they've been made I can see the relevance of them too.

              The current project is much more fun: mapping tornado damage for FEMA in a Ruby/Rails system.

  7. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like