May 1, 2015

Security patches for Magento

Yireo Blog Post

If you are following Magento in the news, it should not come as a surprise. If this is new to you, you should take action, right after reading this post. Some security issues have been discovered in Magento, and this requires security patches to be installed ASAP. Let's see what this is all about. And let's see what you should do to secure your Magento.

SUPEE-5344 and SUPEE-1533

Last year a vulnerability was found and labeled SUPEE-1533. In January, another more dangerous exploit was found and labeled SUPEE-5344. But despite for security patches being available to close the holes, many websites are still vulnerable and unpatched. Somehow, the severity of the situation is not getting across to some Magento developers and Magento shop-owners, while already many Magento shops are being hacked because of these vulnerabilities. Many developers in the Magento community have already blogged about how serious this security issue is. With this blog, we hope to make that wake-up call even louder: Patch now!

One of the announcements made by Magento can be found here: http://magento.com/security-patch

The Byte Shoplift tester can be found here: https://shoplift.byte.nl/

What happens when your shop is hacked?

This sounds like a silly question, but to get into details anyway: If your shop gets hacked using one of the vulnerabities mentioned in this blog, many things can happen. And you will not like any of them. In a proof of concept, the SUPEE-5344 vulnerability was used to give extra discount on some products. That example simply showed the danger of the exploit, but not how the exploit was actually being used in the wild.

So far, reports have come in of various modifications made by hackers:

  • New admin users in the Magento backend
  • Strange orders with no charges
  • Modified core files
  • Uploaded a new Magento module to modify files easily
  • Upload PHP backdoors

Still more is possible: Often, a hack on the application level is used to try outs other hacks on the server level, with the ultimate goal to gain root access to the server.

What to do?

What to do? Well, patch. If you think you don't need to patch, double-check. If you think your site is already safe enough because of some firewall, patch it anyway. If you have installed Magento 1.9.1.0, thinking the latest version will give you all the security you need, upgrade to 1.9.1.1 immediately.

In May 1st 2015, Magento 1.9.1.1 was released. If you can upgrade to this version, it is the easiest way to secure your shop again. Don't wait - otherwise you might be left with a hacked shop. In some cases, upgrading to Magento 1.9 is not an option yet. In those cases, the manual patch procedure is still required. If you need a helping hand to apply the patches, or fix your hacked shop, we are happy to help out. Drop us a mail and we'll see what we can do.

Posted on May 1, 2015

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.