Jump to content

Archived

This topic is now archived and is closed to further replies.

greasemonkey

Magento vulnerability

Recommended Posts

As I said in an other topic recently. A system/software is only as good as the person that maintains it.

The fix/patch is available but if the people don't apply those patches then it is their own fault and not Magentos.

How many people are still out there using osC 2.2 or 2.3.1 and other older versions that have more security holes then a swiss cheese?

Hell, some still name their admin area "admin"!

 

One other thing I found a bit disturbing is this

 

 

...and gain access to credit card details and other financial...

 

I always thought it is not good to keep credit card records especially if you don't fulfill certain rules right?

Share this post


Link to post
Share on other sites

Well said.

 

I guess what I find most amazing is (they suggest in the article) only 50% have been patched.

 

And I too would seriously question why anyone would want to hold a CC number in their database. Talk about asking for it....

Share this post


Link to post
Share on other sites

I am not familiar with Magento but if they have kinda Dashboard in the admin area as osC has then they could release an emergency newsflash so that people can see that there is a patch available.

But if people still won't apply it even after all the efforts and announcements then....well....

Imagine some or probably most people hired someone to create their shop those people wouldn't know where to start in the first place. And Magento seems to have a difficult code base. So they all would need to hire again

someone to fix their system.

I wonder how many shops are in those 50%...100'000? 1'000'000? 10'000'000? ...more?

Share this post


Link to post
Share on other sites

A system holding CC info takes a lot more work to get PCI/DSS compliance, then again, that's sort of like an honest system. I see a lot of reasons to hold a CC number, but only for temporary. Customers change their minds to add more items...exchange shipping...and etc...one thing is holding CC info...another would be storing CC info in plain text...AES_ENCRYPT...SHA2 should slow'em down...highly recommend'em...I guess it's all about minimizing risks...

 

Well said.

I guess what I find most amazing is (they suggest in the article) only 50% have been patched.

And I too would seriously question why anyone would want to hold a CC number in their database. Talk about asking for it....

Share this post


Link to post
Share on other sites

For Magento, it was an easy patch. Same issues arose with lots of WordPress plugins including WP eCommerce.  Neither store CC in the database 

 

Patches were available last week before the public announcement. 

 

Risk is quite low in regard to an actual hack I think.

 

I guess the poster was kind of asking if osCommerce is effected?


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

A system holding CC info takes a lot more work to get PCI/DSS compliance, then again, that's sort of like an honest system. I see a lot of reasons to hold a CC number, but only for temporary. Customers change their minds to add more items...exchange shipping...and etc...one thing is holding CC info...another would be storing CC info in plain text...AES_ENCRYPT...SHA2 should slow'em down...highly recommend'em...I guess it's all about minimizing risks...

 

Actually the hack published was intercepting CC information between the customer inputting it on the form and its being encrypted and sent to the payment gateway - without ever being stored anywhere. The only way to rule that out altogether is a sagepay-form-type integration where you pass them to the payment gateway before they enter the card details.

 

There were/are addons that check that the code files in your store haven't changed and that's really the only way to be sure you've not been hacked with an injection; we are running open-source so any remaining holes are public.

 

That said, I think that holes now are more likely to be in addons and custom code, which is harder for the malicious to exploit on any scale than vulnerabilities in the core. I suspect, though, that it's not so hard to design a bot that can hammer all the input fields and url parameters on your site with injection strings to see if they can get in.


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (Phoenix).

here: on the official osc download page

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

×