Security releases for Magento and Joomla
We hope you did not miss this news: Various security patches came out last weeks, and you should be upgrading soon, if not already. This mailing is another reminder for this.
Already 2 weeks ago a SUPEE patch 8788 came out to fix various security issues, among which a way to execute PHP code in the checkout (and hack your shop with it), SQL injections (that could be used to add more admin users), login as another customer and various other issues. The patch is therefore highly important and should be installed as soon as possible.
At the same moment Magento 1.9.3 was released, shipping the fixes in the SUPEE 8788 patch. However, this release has various issues that caused issues with current installations (SOAP, password confirmation when editing an account, etc) which made upgrading for some people a bumpy ride. However, we still recommend to upgrade to Magento 1.9.3 if you can, because all issues are documented by now (third party blogs, StackExchange) and this release includes security enhancements not made by the patch. It is said Magento 188.8.131.52 is underway, but if you don't patch soon, your shop might already be attacked. So don't wait, but patch.
This week a new Joomla version 3.6.4 came out for Joomla as well, fixing two major vulnerabilities. Though we've not seen much in the wild yet, the bugs deal with the ability to register on a Joomla site while actually Joomla is configured to have registration disabled, and the ability to change the usergroup of that registration (elevated privileges). Adding this up, these vulnerabilities allow for any Joomla site to be targetted by hackers, creating new management accounts (potentially Super Users) with automated attacks.
Upgrading Joomla should be easy: In some cases, you will need to update the Joomla Update Component first. Upgrading to Joomla 3.6.4 involves not much more than a simple click. Make sure to create a backup in advance.
Let us know if you need any help with upgrading.
Written by Jisse Reitsma op 26 October 2016