The flaw in Magento was rated a 9.8 on a scale of 10 and it facilitated a complete rehash of the Magento online stores.
Nethanel Rubin, the independent security researcher reported some kind of vulnerability in the Magento eCommerce platform of the giant eCommerce store, eBay. This vulnerability, if not fixed, would have definitely given an advantage to the hackers over the retailers.
Version 2.0.6 was issued overnight with the vulnerability, CVE-2016-4010 fixed. There was a flaw that scored around 9.8 on a scale of 10 severity score. This is indicative of the fact that the installation code will not be accessible when the process of installation finishes.
“Earlier, users with minimal access or permission could easily execute the PHP code or even the unauthenticated user could do that on the server. This was possible because the directory or the app in a writable condition. Majority of the administrators too did not make any changes to the permissions even after the installation was complete”, the company reported.
An Israeli researcher, Rubin too had earlier discovered loopholes in the Magento platform along with many others opined that the hackers can conduct an execution of arbitrary PHP code in the unpatched systems. He said, “This vulnerability creates room for the hacker to execute the PHP code, unauthenticated, on the vulnerable server of Magento.”
He also added that the vulnerability reflects on Magento Community edition as well as the Magento Enterprise Edition. He strongly recommended that all Magento administrators update their Magento installations to 2.0.6 patch.
This chained attack is a combination of all smaller vulnerabilities that Rubin detail in toto. He relies heavily on leaving SOAP or REST enabled from the default setting which is a constant feature of majority of the installations.
Much of the faux pas can be attributed to the dynamic nature of API and the sizeable API that the customers make use in order to run various things like the shopping carts in Magento.
Rubin was all appreciation for the code overhaul of Magento which included a lot of code improvements, vast rewriting and a huge bolstering of the security measures. This is indeed touted as a giant leap no doubt, but may also be something similar to that of a pain in the tooth as far as the Magento developers are concerned and the vulnerability researchers are concerned.
In case you are also looking for protection against the Magento Attacks, get in touch with the Our experts they will conduct a perfect analysis and best solution of the website.