Week 5
Magento Flaw Exposes Vulnerability for
Online Stores
Magento is an e-commerce platform
that is vulnerable to hackers. It is used by more than 250,000 vendors
worldwide to include Burger King and Coca-Cola. The vulnerability was found in November
by the company DefenseCode. When DefenseCode notified Magento, they were told
they were aware but it had not been addressed. After several attempts to get
status on the potentially serious issue from Magento failed, DefenseCode went
public with their findings.
A new
feature which allows users to add Vimeo video content to existing products can
leave the system open to an attack. According to the article by Eduard Kovacs “This
request method can be changed from POST to GET, allowing an attacker to launch
a cross-site request forgery (CSRF) attack and upload an arbitrary file. While
invalid image files are not allowed, the file is still saved on the server
before it is validated.” (Kovacs, 2017) Researchers have determined if the attacker
is successful, they can gain complete control of the targeted system.
References
Kovacs, E. (2017, April 14). Unpatched Magento
Flaw Exposes Online Stores to Attacks. Retrieved from Securityweek.com:
http://www.securityweek.com/unpatched-magento-flaw-exposes-online-stores-attacks
No comments:
Post a Comment