Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A New 0-Day Magento Vulnerability Released

SOLVED
Go to solution
‎05-01-2017 04:39 AM
‎05-01-2017 04:39 AM

A New 0-Day Magento Vulnerability Released

Security researchers at Defence Code have found a critical vulnerability in Magento Enterprise and Magento Community editions. While earlier Magento team had a few delayed responses, but now seems that they've have released a patch for the same.

 

Vulnerability: It is a remote code execution vulnerability clubbed with CSRF

 

You can read the details here, and if you think you are vulnerable it is advisable to put necessary patches: https://www.getastra.com/blog/0-day-magento-vulnerability-put-users-on-red-alert/

 

I'm around if any questions are there.

 

-Dylan

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
‎05-01-2017 11:12 AM
‎05-01-2017 11:12 AM

Re: A New 0-Day Magento Vulnerability Released

This is not a 0-day! The Defense Code "exploit" requires a very specific list of security features to be turned off which are ON by default. 200,000 sites are not affected, that is a completely wrong statistic. The blog post linked above makes no effort to verify those numbers.

 

The community have verified multiple times that there is no danger to merchants at this time from this issue, but we are encouraging everyone to sign up for Magento security newsletter at https://magento.com/security to make sure that if any developments do emerge you'll hear from Magento themselves.

 

This is just old/fake news.

---------------------------------------------------
My Magento Security Podcast

View solution in original post

Reply
4 REPLIES 4
‎05-01-2017 11:12 AM
‎05-01-2017 11:12 AM

Re: A New 0-Day Magento Vulnerability Released

This is not a 0-day! The Defense Code "exploit" requires a very specific list of security features to be turned off which are ON by default. 200,000 sites are not affected, that is a completely wrong statistic. The blog post linked above makes no effort to verify those numbers.

 

The community have verified multiple times that there is no danger to merchants at this time from this issue, but we are encouraging everyone to sign up for Magento security newsletter at https://magento.com/security to make sure that if any developments do emerge you'll hear from Magento themselves.

 

This is just old/fake news.

---------------------------------------------------
My Magento Security Podcast
Reply
‎05-01-2017 11:21 AM
‎05-01-2017 11:21 AM

Re: A New 0-Day Magento Vulnerability Released

This is tagged as Magento 1 but mentions app/etc/env.php which is only present in Magento 2.  Yeah right there are 200k customers at risk, there aren't even that many M2 installs.

 

Stop writing click bait.

Reply
‎05-03-2017 03:26 AM
‎05-03-2017 03:26 AM

Re: A New 0-Day Magento Vulnerability Released

True Talesh. This is an error on our part. I have got the article updated with the information you mentioned. Also, have added the comment with your mention. Please check if it's fine by you.

0 Kudos
Reply
‎05-03-2017 03:32 AM
‎05-03-2017 03:32 AM

Re: A New 0-Day Magento Vulnerability Released

Steve. this wasn't aimed to be a click bait. Yes, an error in verifying from our part which has been rectified. As you would see on the blog and our upcoming articles, we have contributed in the past in making Magento extensions etc. secure. Again, apologies for this hiccup.

0 Kudos
Reply