http://arstechnica.com/security/2015/04/potent-in-the-wild-exploits-imperil-customers-of-100000-e-commerce-sites/
By Dan Goodin
Ars Technica
April 23, 2015
Criminals are exploiting an extremely critical vulnerability found on
almost 100,000 e-commerce websites in a wave of attacks that puts the
personal information for millions of people at risk of theft.
The remote code-execution hole resides in the community and enterprise
editions of Magento, the Internet's No. 1 content management system for
e-commerce sites. Engineers from eBay, which owns the e-commerce platform,
released a patch in February that closes the vulnerability, but as of
earlier this week, more than 98,000 online merchants still hadn't
installed it, according to researchers with Byte, a Netherlands-based
company that hosts Magento-using websites. Now, the consequences of that
inaction are beginning to be felt, as attackers from Russia and China
launch exploits that allow them to gain complete control over vulnerable
sites.
"The vulnerability is actually comprised of a chain of several
vulnerabilities that ultimately allow an unauthenticated attacker to
execute PHP code on the Web server," Netanel Rubin, a malware and
vulnerability researcher with security firm Checkpoint, wrote in a recent
blog post. "The attacker bypasses all security mechanisms and gains
control of the store and its complete database, allowing credit card theft
or any other administrative access into the system."
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
