Important Magento Security Patch – Oct 3 2014

Magento today sent out an alert to patch ALL Magento sites – both Community and Enterprise – for two potentially serious security flaws.

Before I delve into what to do, I want to talk about why this update means that Magento is more secure (instead of worrying that it is less secure).

One of the wonderful things about an eCommerce platform that has more than a 250,000 active stores in use is that everyone is looking at security. So if anyone finds something, the entire community can be notified.

Unlike in the closed-source world, where nobody is able to actually look at the source code of the site, and determine if there is a security issue, open source basically says, here’s the blueprints to our lock. And rather than only a handful of people looking at the issue, a quarter of a million users can continuously evaluate security.

No system – physical or electronic is 100% secure. Even the White House has security issues with people jumping over their fence. (Although the next person that tries this will probably be met with a bit stronger of a reaction next time.)

This latest update addresses two potential security exploits. This affects both Magento Community Sites as well as Magneto Enterprise sites.

No actual attacks using this method have been reported. But it’s a good thing to plug and fix before people figure it out.

An attacker with administrative access to the Magento Admin Panel could use these vulnerabilities to execute code on your server.

Magento admin access can sometimes be guessed, so make sure you have strong usernames and passwords in place.

What could be done with this type of code on your Magento Site?

– A hacker could intercept customer data, including credit card information, and sell this information to others (or use it to ring up charges).

– A hacker could use the site as a way to attack other sites, taking over your resources, and having your server send endless requests to another server to bog it down and make it crash.

– Or, a hacker could host a phishing site on your server, that tricks people into giving up their user name and passwords for their bank account or other secure website.

Recommended Next Steps:
– Check to see if you have unknown files in the web server root directory.
– Run our Free Magento Code Audit tool on the site; this won’t find all of these files, but will find anything that is out of the ordinary, or if any of your core files have been modified.
– Review who has access to your Magento admin area, and remove older users. We recommend updating passwords and usernames, and avoiding anything that is easily guessed (like test123).
– Review any additional systems running on your server, especially if they have directories that have 777 permissions running on them.
– We also recommend changing the default location of your Magento admin area from the /admin/ to something that is more challenging to guess.

Call us if you’d like us to take a look or install this patch for you. We’re at 303.473.4400, or visit here to have a real person contact you.