The Hostway Blog

Magento Issues Security Patching Advisory

Today, Magento released new versions and patches related to vulnerabilities that could be exploited to access customer information or take over administrator sessions. The root of the vulnerability stems from the improper validation of email addresses that are entered into the customer registration form. Unfortunately, such a flaw would allow an attacker to add JavaScript to the email field of the form. What does all this mean? Simply put, whenever a new form is filled out, the malicious Java Script code is triggered when the user account is listed in the back end panel of the website. All versions of Magento are affected, but there are no confirmed attacks related to these issues.

 

Have you been affected by the Magento Vulnerability?

If you haven’t undated your Magento to the latest version, or installed patches to keep you current, you may want to ensure that you haven’t been effected by the vulnerability by checking a few things

  • Check your list of administrator users for unknown accounts.
  • Check your Magento installation for any unknown files that were recently created and compare files to your code repository or your staging server.
  • Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
  • Run a tool to check for trojans (e.g. chkrootkit)
  • Check for wrong permissions and any hidden files
  • Check for suspicious ports being opened or redirections on OS level.

Full articles about the Magento 1.x and Magento 2.x issues are posted in the Magento Security Center. Additionally, all new releases and a separate USPS patch support recent USPS changes.

Magento Community Edition Update and Patches

The Magento Community Edition 2.0.1 release also contains several important functional updates, including official support for PHP7.0.2.

To download your update, please visit the Community Edition Download Page. These two patches (SUPEE-7405 and SUPEE-7616) are available to address security and USPS issues for Community Editions 1.5.0.0-1.9.2.2. Both sets of improvements are included in Community Edition 1.9.2.3 and Community Edition 2.0.1. Be sure to install all previous patches, if you haven’t done so already. All previous USPS patches must be installed for the new patch (SUPEE-7616) to work. We advise installing patches in a development environment before putting them into production.

Hostway now provides Managed Magento Support.

Hostway’s new Managed Magento Support includes but not limited to the following:

  • Magento installation - including resetting a currently configured store to defaults, troubleshooting existing installations and package downloads
  • Configuration – assistance with full product configuration including payment modules, shipping options, tax rates, languages, products, etc.
  • Full Magento UI support – all types of “How-to” questions ranging from catalog setup to marketing related items like promotions, etc.
  • Troubleshooting and bug/issue fixes – this includes diagnosis and potentially resolution of the vast majority of functional and/or visual issues with the product caused by misconfiguration or broken data entries. If issue is caused by custom code, support will only indicate the affected area and will only offer resetting it to default settings, if possible.

Need help keeping your Magento deployment running? Contact us today and let Hostway help you patch your Magento application.