Magento SUPEE-5344 – Shoplift Bug Patch


In late January of 2015 the first remote code execution (RCE) vulnerability, or “shoplift” bug, was reported to Magento by Check Point Software Technologies. This bug affects both Magento Enterprise Edition and Magento Community Edition, and it allows attackers to obtain control over a store and its sensitive data, including personal customer information. As of February 9, 2015, Magento released a patch for this issue.

Patched Sites

To determine if your site has been patched, you can enter your URL in the search box here. A tool to test the risk level of your store can be found here.


It is strongly recommended to implement the following patches if your site has not been patched already.

Community Edition Patches:

Signs of a Compromised Site

It is recommended by Magento to look for the following signs to determine if your site has potentially been compromised:

  • Check your list of administrator users for unknown accounts. We have seen vpwq and defaultmanager being used, but any unknown account is suspicious.
  • Check Magento installation for any unknown files that were recently created and are suspicious. Compare all files to your code repository or staging server.
  • Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
  • Run a tool to check for trojans (e.g. chkrookit)
  • Check for wrong permissions
  • Check for hidden files
  • Check for suspicious ports being opened (command: netstat -nap | grep LISTEN )
  • Check for any port re-directions on OS level (sample command: iptables -L -n)

If you suspect that the site is compromised, contact us at Centennial Arts.

Checking Sites Via API

If you have several sites to check or you simply prefer to use Magento’s API, send a request like this:

  • $ curl{domain}/{admin path}

Optionally, you can force the API to check in https mode:

  • $ curl{domain}/{admin path}/https

Finally, if your admin path is more than one level deep, replace slashes with exclamation points, like this:

  • # /mylong/admin/path becomes:
  • $ curl{domain}/my\!long/!admin\!path

Act Now

While many of have successfully downloaded the patch, there is still a large number of those who still have not done so. Even after applying the patch, if your store was affected before the patch was applied, then it would still be compromised. Don’t hesitate to contact us at Centennial Arts with the link below to ensure that your Magento store is secure!

Magento Hosting
Contact us

Leave a Reply