Security Bug in Magento 2 Puts Sellers at Risk

Howdy !

Security issues continue to hound Magento 2. You’re lucky you haven’t migrated yet, otherwise you could be one of the 200,000 online sellers who are at risk.

Web security service provider DefenseCode detected a remote code execution (RCE) bug linked to a feature in the Magento 2 software which allows administrators to add videos hosted on Vimeo.

That could serve as an entryway for hackers to access a Magento user’s database, including confidential information, and even install malware.    

All they have to do is get a user to download a URL which contains a .htaccess file and a PHP file, and then they can easily manipulate the user’s system using a remote server.  

“During the security audit of Magento Community Edition, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise, including the database containing sensitive customer information such as stored credit card numbers and other payment information,” DefenseCode said in their advisory.

They added that the affected versions of the Magento Community Edition software include v.2.1.6 and below.

 

Reassurance from Magento

Though they haven’t heard of any actual attacks yet, Magento reassured their customers that they are looking into the matter.

“We have been actively investigating the root cause of the reported issue and are not aware of any attacks in the wild. We will be addressing the issue in our next patch release and continue to consistently work to improve our assurance processes,” they said.

To protect their users from possible security attacks, Magento sent out an email which includes the steps to switching on the “Add Secret Key to URLs” option.

Here’s how to do it:

  1. Log on to Merchant Site Admin URL (e.g., your domain.com/admin)
  2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
  3. Select YES from the dropdown options
  4. Click on Save Config

We may have sounded like a broken record, telling you repeatedly that Magento 2 is still not ready, but we’re so glad that we did.

What are your thoughts on this security issue? Share them with us in the comments below.

As always, to your continued success,

Dave & Matt

 

 

2 replies
  1. David
    David says:

    Great articles on reasons not to jump on magento2 yet. We have an e-commerce site with a propriety custom agency. Problem is it 8 years old and everytime we need to add a functionaley to be competitive its very costly. They are reccomended we move to magento2. Do you think its a wise option now or do you think we start with magento then move to magento 2 in a few years time?

    Reply
    • Dave Furness
      Dave Furness says:

      Hi David,

      Magento 1 is still the option we prefer, as it is tried and tested and it will be supported until at least 2020.

      We will however be covering Magento 2 soon on the site here at UnderstandingE.

      Dave

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *