Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Magento Issues Rate Topic   - - - - -

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10563 posts

Posted 07 March 2017 - 08:18 PM #1

I just received this from my prior Merchant Service provider related to an announcement by Magento.

Seems there were several issues that may have cost them dearly in PCI/DSS consulting services and verification.

 


We have become aware of possible security issues with merchants using the Magento eCommerce Platform.  Please take a look at the below from First Data where Magento has had some security vulnerabilities that could have caused cardholders to become compromised.

As their representative(s) and to protect merchants and cardholders, if you have merchants that are processing on the Magento eCommerce Platform we need to make sure they are applying the security patches listed in this release below. Merchants can be directed to Magento if they have any questions or issues applying these security updates as they would be able to direct the merchants on a course of action if needed.


New Magento 1.x and 2.x Releases Provide Critical Security and Functional Updates
 

  • Today, we are releasing several updates that include critical security and functional enhancements.

 
Enterprise Edition 1.14.3, Community Edition 1.9.3, and SUPEE-8788
Enterprise Edition 1.14.3 and Community Edition 1.9.3 deliver over 120 quality improvements, as well as support for PHP 5.6. They also resolve critical security issues, including:
• Remote code execution vulnerabilities with certain payment methods
• Possibility of SQL injections due to Zend Framework library vulnerabilities
• Cross site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
• Improper session invalidation when an Admin user logs out
• The ability for unauthorized users to back up Magento files or databases
 
The SUPEE-8788 patch addresses these security issues in earlier Magento versions. Functional update details and installation instructions are available in the Enterprise Edition and Community Edition release notes; a full list of security updates is published in the Magento Security Center.
 
Enterprise Edition and Community Edition 2.0.10 and 2.1.2
Updates to Magento 2 software address the same critical security issues described above. Additionally, the releases make several functional improvements and API enhancements. New API methods allow 3rd party solutions, such as shipping or ERP applications, to use APIs to transition an order state when they create an invoice or shipment. Magento 2.1.2 now also includes PHP 7.0.4 support and Magento 2.0.10 and 2.1.2 are compatible with MySQL 5.7. A summary of improvements is available in the release notes; all security updates are listed in the Security Center.
 
You are advised to deploy these new releases right away, as attackers may target merchants who are slow to upgrade. Updates should be installed and tested in a development environment before being put into production. Also, please use this occasion to do a security assessment in accordance with our Security Best Practices.
 
Thank you for your continued cooperation and support.
Best regards,
The Magento Team


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • ThomH
  • Senior Member
  • Members
  • Join Date: 20-Nov 07
  • 1418 posts

Posted 08 March 2017 - 09:28 AM #2

Mod security may help to increase the security. Only 1-2 rules must be disabled to work with cs-cart v.4.x editions.


WebGraphiq offers a wide range of professionally developed, ready to use CS-Cart add-ons to provide additional functionality and boost your sales. The oldest active CS-Cart add-on development team. -- Since 2006 --


CS-CART ADD-ONS | FREE QUOTE | CS-CART DEVELOPMENT | @webgraphiq


 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 12 March 2017 - 04:33 PM #3

Magento is a monolithic mess