Magento SUPEE-5344 – Shoplift Bug Patch

Magento SUPEE-5344 – Shoplift Bug Patch

In late January of 2015 the was a report to Magento by Check Point Software Technologies of the first remote code execution (RCE) vulnerability, or “shoplift” bug. This bug affects both Magento Enterprise Edition and Magento Community Edition, which allows attackers to obtain control over a store and its sensitive data, including personal customer information. As of February 9, 2015, Magento released a patch for this issue. Therefore, we will discuss the Magento SUPEE-5344 – Shoplift Bug Patch.

Magento SUPEE-5344 – Shoplift Bug Patch

Patched Sites

To determine if your site has been patched, you can enter your URL in the search box here. A tool to test the risk level of your store can be found here.


We strongly recommend implementing the following patches if your site has not been patched already.

Community Edition Patches

The following are Magento Community Edition Patches:

Signs of a Compromised Site

Magento recommends looking for the following signs to determine if there was a potential compromise on your site:

  • Check your list of administrator users for unknown accounts. We have seen the use of vpwq and defaultmanager, but any unknown account is suspicious.
  • Check Magento installation for the recent creation of any unknown files and are suspicious. In addition, compare all files to your code repository or staging server.
  • Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
  • Run a tool to check for trojans (e.g. chkrookit)
  • Check for wrong permissions
  • Look for hidden files
  • Check for the opening of suspicious ports (command: netstat -nap | grep LISTEN )
  • Check for any port re-directions on OS level (sample command: iptables -L -n)

If you suspect that the site is compromised, contact us at Centennial Arts.

Checking Sites Via API

If you have several sites to check or you simply prefer to use Magento’s API, send a request similar to the following:

  • $ curl{domain}/{admin path}

Optionally, you can force the API to check in https mode:

  • $ curl{domain}/{admin path}/https

Finally, if your admin path is more than one level deep, replace slashes with exclamation points, like this:

  • # /mylong/admin/path becomes:
  • $ curl{domain}/my\!long/!admin\!path

Act Now

While many of have successfully downloaded the patch, there is still many who still have not done so. Even after applying the patch, if there was an impact on your store before applying the patch, then it would still have an affect. Don’t hesitate to contact us at Centennial Arts with the link below for more information on Magento SUPEE-5344 – Shoplift Bug Patch, and to ensure that your Magento store is secure!

Leave a Reply