According to Magento, there are more than 200,000 websites that may be affected by the stored cross-site scripting bugs which were revealed by Sucuri earlier this week. There are XSS bugs affecting both the Community Edition and Enterprise Editions of Magento 1.x, as well as both varieties of Magento 2.0.
The stored XSS bug affecting Magento 1.x is rated as critical because it allows a malicious user the opportunity to gain access to the administrator’s authenticated session, or to hijack the administrator’s browser to force the administrator to perform certain actions. These include, potentially, creating a second administrative account with credentials selected by the attacker.
Upgrading is Essential
Magento itself has warned that the vulnerability affects almost every installation of Magento Community Edition version 220.127.116.11 and earlier, as well as Magento Enterprise Edition installations at version 18.104.22.168 and earlier. To exploit the vulnerability, all an attacker has to do is attempt to send an email to the administrator via the site.
The piece of buggy code is a part of Magento’s core code, so only a handful of users who have a WAF, or who are using an incredibly heavily modified version of the administration panel will be immune from the vulnerability. Essentially, everyone is at risk and the XSS attack could cause a significant amount of damage to a website. Unauthorised data access is a genuine possibility.
It is common for users of the Community Edition to delay installing updates, either because they lack the skills in-house to do so, or because they rely upon their web hosts to update for them because they have limited access to the command line via their hosting accounts. When the reason for the new release is a serious flaw in the software – as is the case here – it is not safe to wait.
The Vulnerability Timeline
The bug was discovered on November 10th 2015, and reported to the Magento team. Magento did not acknowledge the issue after the first report, but did acknowledge when Sucuri followed up on the report on December 1st.
On January 20th the Magento developers released SUPEE 7405, a free patch which fixes the issue. Sucuri released a public disclosure of the vulnerability on January 22nd, so proactive webmasters will have had time to fix the issue.
If you have not updated yet, you should do so immediately, because the security flaw is now public knowledge.
Get Help and Support Now
We’ve already patched over 30 websites to fix the XSS vulnerability. Don’t leave your customers at risk – if you aren’t sure if you’re protected, get in touch and we’ll be happy to help. It might just save your reputation.