- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hack with script in customer name
We have a customer on version 1.9.2.3. They have all the latest patches. Today, someone tried to order from the site and put a script in their name. The order went thru with the link to a remote script. How is this possible? Seems like a major security risk to Magento. See attached screenshot of what it looks like in the admin. This hack is the same as the one posted here: https://community.magento.com/t5/Security-Patches/Hacking-Attempts/td-p/84696 I'd be surprised if others are not also getting attacked in this manner.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Hack with script in customer name
Don't worry they are secure. If they were vulnerable, they should not have even seen those tags and realized that they were hacked by just looking it there. That script tag is just converted to text by Magento, so script is actually not firing to call that malicious file
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Hack with script in customer name
Hi @califa,
To be sure take a look into the database how those values were stored. You should find the htmlentites.