Security companies warns those using Magento e-commerce platform should make certain they’re using it’s latest software, as atterkers continue to exploit a flaw patched two months ago.
The vulnerability can allow an attacker to take absolutely control of a store with administrator access, potentially allowing credit card theft, wrote Netanel Rubin of Check Point’s Malware and Vulnerability Research Group. As many as 200,000 websites use Magento, which is owned by eBay.
Ever since Check Point disclosed the vulnerability, attackers are using that to their advantage by finding unpatched applications. The attackers aim is to forge an administrator account user in a Magneto Database, as stated by David Cid, CTO and founder of Sucuri. But it is more likely the attackers will use that ledge to take over a site later, he wrote.
The exploit code Sucuri analyzed is a SQL injection attack, which inserts a new “admin_user” into a database. Cid wrote the exploit uses the usernames “vpwq” and “defaultmanager.” The sight of those names on a system might indicate a well accomplished attack.
A video on Check Point’s blog demonstrates how the vulnerability could be used to reduce the price of a US $100,000 watch on an e-commerce site they created purposely for demonstration.
Rubin wrote the vulnerability in Magento is composed of several flaws which allow an unauthenticated hacker to run PHP code on a web server. The flaws are within Magento’s core code and affects default installation of Magento’s Community 18.104.22.168 and Enterprise 22.214.171.124 editions, he wrote.