SQL injection flaw on Magento sites

Written by:
Lucie Sadler
Date Posted:
2 April 2019

Critical updates for Magento users

E-commerce platform
Magento, the popular e-commerce platform, has recently released thirty seven patches including several critical updates. Users should immediately update and apply the patches to ensure that their online shop is protected against the vulnerabilities.

Magento, which is part of Adobe, has commercial and open-source versions of the platform. Both versions of Magento were affected, with around 300K customers in total using the e-commerce solution. Magento has advised that users should upgrade their shop to the latest versions, 2.3.1 and 2.2.8 .

Time to patch
Some of the vulnerabilities could allow hackers to access the platform and make changes without authentication. Hackers could also take over a site and create new admin accounts, amongst other things.

Thirty seven patches have been released, including four critical, four high severity, twenty-six medium severity and three low severity updates. Patches need to be applied immediately to ensure that Magento users and their customers are protected. If the flaws in the system were exploited they could allow hackers to carry out remote code execution, SQL injection and cross-site scripting etc.

SQL injection
SQL injection is a popular technique used by cybercriminals to ‘inject’ malicious code into databases to bypass application security measures and to add, modify or delete records from databases. In this case, the SQL injection flaw could be used to pull usernames and passwords from databases. The SQL injection vulnerability found was PRODSECBUG-2198, which could allow hackers to access the platform without authentication.

Security researchers have said that this SQL injection flaw will soon be targeted by hackers if it is not updated by the user.

Payment skimmers
The SQL injection vulnerability could be exploited and used for card skimming, in the form of Malware. This is a popular fraud technique, where payment card skimmers are inserted into a site’s code and can collect information such as names, addresses, dates of birth and credit or debit card details. These attacks are often difficult to detect and can run from a single line of code, but have potentially disastrous consequences.

We recommend that all users update their Magento platform as soon as possible, or you can virtually patch the vulnerabilities via WAF. Hyve customers with Patch Management contracts will have already been patched.

No votes yet.
Please wait...

Recommended Videos

Find out why Safestore adopted Hyve as their hosting provider

Case Studies

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.