SUPEE-8788 – Old Patch – Renewed Urgency!

SUPEE-8788 was released in October of last year but we are still seeing shops without it. We’ve also seen hackers recently continuing to steal data from merchants who have not installed the patch. The two critical fixes address Zend framework and payment vulnerabilities and ensures sessions are invalidated after a user logs out. In addition to the two critical vulnerabilities, there are 15 additional points of concern addressed in the patch.

Vulnerabilities fixed in SUPEE-8788:

  • Remote Code Execution in checkout – With some payment methods, it might be possible to execute malicious PHP code during checkout.
  • SQL injection in Zend Framework – It allows a malicious user to inject SQL through the ordering or grouping parameters.
  • Stored XSS in invitations – It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.
  • Block cache exploit – An attacker with administrator permissions can use static blocks to exfiltrate information stored in cache.
  • Log in as another customer – In certain configurations, it is possible to log in as an existing customer without a password and with only an email address.
  • Remote Code Execution in admin – The import/export functionality in Magento unserializes data supplied from the Admin dashboard without proper checks.
  • Full Page Cache poisoning – It is possible to manipulate the full page cache to store incorrect pages under regular page URL entries. This issue affects only Magento Enterprise Edition.
  • XSS vulnerability in URL processing – Magento function related to URL processing incorrectly uses user-supplied data from request headers. This can result in a cross-site scripting issue.
  • XSS in categories management – It is possible to create a category that contains malicious JavaScript code in the category name. This code will then be executed in other parts of the Admin panel, such as URL rewrites.
  • GIF flooding – A malicious user can upload a modified image that could cause a script timeout.
  • Cross-site scripting in Flash file uploader – Reflected cross-site scripting is possible on sites that use the file custom option.
  • Filter avoidance – Implementing filters for XSS in email templates and other admin features might not be sufficient to stop specially crafted exploit strings.
  • CSRF in several forms – Improper form key validation leads to possible CSRF attacks on several forms throughout Magento.
  • CSRF on removing item from Wishlist or Address Book – It is possible to create a phishing page that would delete the customer’s address or wishlist items.
  • Session does not expire on logout – Session does not expire after logout, making it possible to steal session cookies and access a customer’s account.
  • Lack of certificate validation enables MitM attacks – Lack of certificate validation on calls to external services enables man-in-the-middle attacks on those calls.
  • Timing attack on hash checking – It is theoretically possible to execute a timing attack on the password checking functionality. This is a low-risk vulnerability due to the effort required to execute this attack successfully.

Do you know if your site has the SUPEE-8788 patch installed?

Go to MageReport and check your site for free in a less than a minute, all you need is your URL. When it comes to Magento, security patches should be taken seriously and installed and configured by Magento experts. Contact us today to see if we can get you patched up. 

 

Give us a call to see how we can get you patched up: (513) 469-3361

Do you know if the patch was installed correctly?

[gravityform id=”14″ title=”false” description=”false”]

<script type="text/javascript"> var __ss_noform = __ss_noform || []; __ss_noform.push(['baseURI', 'https://app-3QN2I6N988.marketingautomation.services/webforms/receivePostback/MzawMDExM7UwAwA/']); __ss_noform.push(['endpoint', '95ef7449-c0bc-4903-831f-fc23c5c4e7db']); </script> <script type="text/javascript" src="https://koi-3QN2I6N988.marketingautomation.services/client/noform.js?ver=1.24" ></script>