back to article Adobe warns of second critical security hole in Adobe Commerce, Magento

Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one. You need to apply both patches, in order. The new vuln has also been assigned a severity rating …

  1. Anonymous Coward
    Anonymous Coward

    From the article: 'arising from improper input validation'

    I know not everything can be secure, but at least lock the front door.

    1. tmTM

      Re: From the article: 'arising from improper input validation'

      Adobe software with gaping security holes. Who would have guessed?

  2. Anonymous Coward
    Anonymous Coward

    So Magento has been fully integrated now

    .. into Adobe's approach to coding so badly it's pretty much an open door by default.

    Do they share engineers with Microsoft?

    1. Anonymous Coward
      Anonymous Coward

      Re: So Magento has been fully integrated now

      Or possibly Ubuntu?

    2. Charlie Clark Silver badge

      Re: So Magento has been fully integrated now

      Don't forget, like Flash, they bought Magento. And, as it's written in PHP, validation issues are to be expected. Yes, anyone can write good code in any language but for years PHP favoured convenience over best practice.

      1. F. Frederick Skitty Silver badge

        Re: So Magento has been fully integrated now

        "... anyone can write good code in any language ..."

        Except MUMPS. That defies anyone's attempt to write good code

        1. Charlie Clark Silver badge
          Thumb Up

          Re: So Magento has been fully integrated now

          Well, that and Brainfuck, et al. You'd need a preprocessor to generate it but it's technically possible.

  3. Brewster's Angle Grinder Silver badge

    Taint Mode: off

    It's 2022. And people still aren't sanitising their input.

  4. mark l 2 Silver badge

    I played around with Magneto about 10 years ago, but decided to go with Prestashop and then moved to a fork of Prestashop called 30bees.

    Glad I didn't go with Magneto now as I wasn't aware it had been bought up by Adobe but that would certainly have made me want to migrate to another platform. As I have experience with the nightmare of security holes that comes with Adobe software and thankfully don't need to deal with it anymore.

  5. frankyunderwood123

    Sadly, my company are magento heavy...

    What is it about this horror show of a platform that attracts big corporates?

    It 100% isn't developer led, that's for damn sure - most developers avoid it like the plague.

    It's a monstrous pile of scary spaghetti code that marketing people delight in using, because they can create monstrously bad experiences with it.

    "I can does web!"

    Fortunately, although the corporate entity I work for is persisting with this pile of unwieldily donkey poo, we've managed to convince them that we're just going to use just parts of the API and are building scalable modern frameworks around it, with a great deal of abstraction, ensuring we can easily just replace this glitter covered pile of elephant droppings once the corporate actually gets a damn clue. (the concept of strict boundaries)

    In other words, we are indeed using that 10 foot proverbial pole, except unfortunately, we are touching it ... with enough distance to keep the stink at bay.

    Consider it a 10 foot pole with a few 10 foot extensions, some tweezers, scissors, some little baggies to hold the poo and a decent layer of sanitisation between our actual applications and this stinking monolithic legacy that can bring developers to tears ...

    Yeah, I'm not that keen on Magento.

    As an aside, the original line from the corporate I work for, is that we're switching *back* to Magento whether you like it or not.

    After being told they would lose 90% of the developers at the company, if they went down that route, sanity prevailed.

    We provided a few POC's that absolutely owned Magento in terms of speed, reliability and security in very short order.

    Everyone is kinda happy, the corporate can have their Magento monkeys, churning out whatever and we can hook into the API as just *one* of the touch points we need - the lightest touch possible.

    This battle has raged at the corporate for years now, there's clearly a lot of "job protection" going down, and clearly a lot of lobbying at key levels from Magento/Adobe.

    Heck, we have an entire department that refuses to switch from the total shit show that is Adobe Analytics - a dead duck, that a tiny percentage of marketing folk use - again, I smell the stink of protectionism within the corporate, some dicks have bet their careers on this and are too damn lazy to get off their backsides and learn a different way of doing things!

    What, angry, bitter, jaded, ME? - too right.

    1. Jellied Eel Silver badge

      Re: Sadly, my company are magento heavy...

      First rule of fight club. Internal customers should present IT with requirements, not vendors. But that's always been FUN! for IT departments, who may find out about new stuff when department orders a new server.

      Admittedly I'm kinda biased against Adobe. Critical security flaw in Adobe? This is news?

      1. innominatus

        Re: Sadly, my company are magento heavy...

        Ah, fond memories of Adobe Flash

    2. low_resolution_foxxes

      Re: Sadly, my company are magento heavy...

      It's something about iPhone drones having to have the right "skillset" on their marketing CV. It's a bit like why our accountants at work demanded SAP, when the only particular reason I could think is that our accountants can now claim experience with SAP on LinkedIn.

      Perhaps marketing drones just have the experience with Adobe photos hop? I recently gained view access to my company website. It boggled my mind how much stalkware and bloat ran in the background. Dozens upon dozens of apps designed primarily to harvest email, contact and social media metrics. All so she can present a PowerPoint every 6 months about "customer engagement" showing age, gender, industry sector, social media engagement campaigns blah blah blah.

    3. TheFifth

      Re: Sadly, my company are magento heavy...

      I'm currently in a soul destroying battle with Magento for a client. Time and again I advised them not to use it for their tiny little shop, but they wanted the 'industry standard'.

      I've spent more time trying to keep the thing running than actually making progress on the updates I need to do for their specific use case. Even installing a simple payment module is likely to cause the site to fall flat on its face and take a day of debugging just to get it working again.

      And to top it all off, the backend is so complex, the client can't work out how to do the simplest of tasks (like adding a product for example!).

      I've never had the displeasure to use such a finicky, unstable system. I liken it to defusing a bomb. Although you partake in hours and hours of careful, delicate, painstaking work, there's still every chance the whole thing will blow up in your face.

      I swear it's taken years off my life having to deal with it.

    4. Anonymous Coward
      Anonymous Coward

      Re: Sadly, my company are magento heavy...

      Yeah, I've been there myself. Corporate ownership got sold on Magento by some sales-weasel at a tradeshow. The CEO came back decided that this is what we are going to use (against strong recommendations to the contrary from me).

      Needless to say, the whole thing turned into a complete shitshow. I honestly think frankyunderwood123 above was way to kind in his opinion of Magento. It's even worse than he described.

      Needless to say, I work somewhere else now (much better company). One thing I made sure of while interviewing, no Magento, and no plans for using it. This company had kind of a "poor bastard" reaction on my interview when I told them we run Magento.

    5. Charlie Clark Silver badge

      Re: Sadly, my company are magento heavy...

      It got in there because it ticks the boxes for a "web shop", a bit like Drupal for CMS. Non-technical manglers appreciate the value of a company that can afford a sales department and has references they might have heard of. And they may also be wary of the IT department, for which there can be good reasons.

      I've never worked a web shop but had discussions with people who've thought getting one. As with so many things online, they almost always forget that generating orders is the easy bit, fulfilment, returns, etc. are what take real work.

  6. Anonymous Coward
    Anonymous Coward

    > Yeah, I'm not that keen on Magento.

    Thanks for clarifying that.

    1. frankyunderwood123

      That's ok, there's still time to realise the mistake you have made adopting it...

  7. Auntie Dix

    Magento really is awful

    Magento is a steaming pile of dung. I thought the ubiquitous negative comments about it were maybe a collective exaggeration, but no... it really is that bad. It beggars belief that any company would actually choose to use the platform yet so many do.

    If you want developer morale to plummet in your company, use Magento.

    If you want productivity to fall off a cliff, use Magento.

    If you want to find the most complex and least effective way of implementing ecommerce, use Magento.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like