Magento security issues - SUPEE-8788
Magento announced a few days ago on October 11th the release of a new patch SUPEE-8788 which closes a dangerous security hole in Magento. After that, Magento 1.9.3 has been released and Magento 2.1.2 as well. If you have a Magento site, patch now! This is said to have the same impact as the ShopLift attack a few years ago.
Overview of the security risks
The patch is a bundle of fixes, not only fixes for the risky holes but also some lesser stuff. The main vulnerabilities seem to have been reported by Peter O'Callaghan, an independent Magento developer and security expert. Of the vulnerabilities, the Remote Code Execution in the checkout (APPSEC-1484) is the most serious - it allows hackers to insert PHP code in the payment gateways and thus get access to your entire Magento site.
A SQL Injection bug in Zend Framework (APPSEC-1480) is also found in essential ordering parameters of grids. This is still a bit theoretical because only vulnerable point was discovered in the Magento backend. However, when combined with XSS and CSRF attacks (and those are included in the patch as well) it could allow attackers to gain access to your backend as well.
There is much more to the patch, but I'll leave you at it to study the details yourself: https://magento.com/security/patches/supee-8788
However, the most import thing is now to patch. Now.
The patch SUPEE-8788 includes various fixes and can be installed on any Magento 1.X site using the patch shell script that Magento provides. However, I would recommend you to consider upgrading the Magento core instead: If you are unable to upgrade from (let's say) Magento 1.7 to 1.9.3, this is a problem on its own and it should be dealt with. Being stuck on an old Magento version, also means being stuck on an old PHP and MySQL, and it simply means your shop is stuck, your business is stuck.
Upgrading should be a healthy business, but it should not be taken lightly: It is not a copy-file-done action. If you need help with the upgrade process, do let us know. Upcoming week we are extremely busy with a Magento 2 Seminar. However after that, or in between, we can perhaps squeeze in an upgrade or test upgrades, to help you out.
For Magento 2, similar vulnerabilities exist and are therefore fixed, though the vulnerabilities seem to be a bit less dangerours. You should upgrade nonetheless: Instead of patching file or copying the new core files, the only recommended way to upgrade Magento 2 is via composer. It runs fine in our case. And again, if you need any help, let us know.
Written by Jisse Reitsma op 14 October 2016