cancel
Showing results for 
Search instead for 
Did you mean: 

Hack with script in customer name

Hack with script in customer name

We have a customer on  version 1.9.2.3. They have all the latest patches. Today, someone tried to order from the site and put a script in their name. The order went thru with the link to a remote script. How is this possible? Seems like a major security risk to Magento. See attached screenshot of what it looks like in the admin. This hack is the same as the one posted here: https://community.magento.com/t5/Security-Patches/Hacking-Attempts/td-p/84696  I'd be surprised if others are not also getting attacked in this manner.script-customer.jpg

2 REPLIES

Re: Hack with script in customer name

Don't worry they are secure. If they were vulnerable, they should not have even seen those tags and realized that they were hacked by just looking it there. That script tag is just converted to text by Magento, so script is actually not firing to call that malicious file Smiley Happy

Re: Hack with script in customer name

Hi @califa,

 

To be sure take a look into the database how those values were stored. You should find the htmlentites.

--
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution"