caHome
caMail
caManagement
caBlog
caSupport
Billing
caAtlas
caWeb
In late January of 2015 the was a report to Magento by Check Point Software Technologies of the first remote code execution (RCE) vulnerability, or “shoplift” bug. This bug affects both Magento Enterprise Edition and Magento Community Edition, which allows attackers to obtain control over a store and its sensitive data, including personal customer information. As of February 9, 2015, Magento released a patch for this issue. Therefore, we will discuss the Magento SUPEE-5344 – Shoplift Bug Patch.
Magento SUPEE-5344 – Shoplift Bug Patch
Patched Sites
To determine if your site has been patched, you can enter your URL in the search box here. A tool to test the risk level of your store can be found here.
Solution
We strongly recommend implementing the following patches if your site has not been patched already.
Community Edition Patches
The following are Magento Community Edition Patches:
- Patches for Magento Community Edition 1.4-1.9.2 are available.
- For versions prior to Magento Community Edition 1.3, please refer to the following thread on Magento Forums: https://community.magento.com/t5/Security-Patches/Is-Magento-CE-1-3-vulnerable-to-Shoplift/m-p/3812#M157.
Signs of a Compromised Site
Magento recommends looking for the following signs to determine if there was a potential compromise on your site:
- Check your list of administrator users for unknown accounts. We have seen the use of vpwq and defaultmanager, but any unknown account is suspicious.
- Check Magento installation for the recent creation of any unknown files and are suspicious. In addition, compare all files to your code repository or staging server.
- Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
- Run a tool to check for trojans (e.g. chkrookit)
- Check for wrong permissions
- Look for hidden files
- Check for the opening of suspicious ports (command: netstat -nap | grep LISTEN )
- Check for any port re-directions on OS level (sample command: iptables -L -n)
If you suspect that the site is compromised, contact us at Centennial Arts.
Checking Sites Via API
If you have several sites to check or you simply prefer to use Magento’s API, send a request similar to the following:
- $ curl https://magento.com/security-patch-check/{domain}/{admin path}
Optionally, you can force the API to check in https mode:
- $ curl https://magento.com/security-patch-check/{domain}/{admin path}/https
Finally, if your admin path is more than one level deep, replace slashes with exclamation points, like this:
- # /mylong/admin/path becomes:
- $ curl https://magento.com/security-patch-check/{domain}/my\!long/!admin\!path
Act Now
While many of have successfully downloaded the patch, there is still many who still have not done so. Even after applying the patch, if there was an impact on your store before applying the patch, then it would still have an affect. Don’t hesitate to contact us at Centennial Arts with the link below for more information on Magento SUPEE-5344 – Shoplift Bug Patch, and to ensure that your Magento store is secure!
