Blog | Website Wizardry

Magento eCommerce SUPEE-5994 Vulnerability

15/05/2015

We’re a big fan of Magento; it’s incredibly versatile and provides an excellent platform from which to create bespoke solutions.

It’s also open source which provides a a fair share of both¬†advantages and disadvantages. One of these particular disadvantages is that malicious users can easily get hold of a copy and study it for any vulnerabilities before finding a live version and then exploiting those vulnerabilities ‘out in the wild’.

This certainly isn’t unusual and other popular open source platforms such as WordPress also suffer from this.

Developers Act Quick!

With Magento holding customer data, ecommerce platforms are a bigger target to would-be hackers. However an advantage of using open source is that thankfully these platforms are bolstered by both the strength of the community developers who use it and constantly look for, and share, ways to improve performance and security.

One such vulnerability was recently found and, in the early hours of this morning (15th May 2015), a patch was released by Magento. The vulnerability itself, referenced “SUPEE-5994 Vulnerability”, comes on the back of “SUPEE-1533” and “SUPEE-5344” which made headlines last month.

How These Vulnerabilities Are Fixed…

At regular intervals, Magento will release updates called ‘patches’ which are designed to fix any existing issues or vulnerabilities. The latest patch addresses a handful of security issues that can put your customer’s data at risk, namely;

  • Admin Path Disclosure
  • Customer Address Leak through Checkout
  • Customer Information Leak through Recurring Profile
  • Local File Path Disclosure using Media Cache
  • Spreadsheet Formula Injection
  • Cross-site Scripting

What Is Spiral Media Doing To Help?

As soon as we became aware of the existence of the patch this morning, we at Spiral Media downloaded it and applied it to all of our client’s Magento installations.

The only impact may have been a slightly slower site while the cache rebuilt itself, as we have to clear it when applying fixes, but you can rest easy knowing that your Magento store is as up to date as possible.

You can also be assured that we will continue to roll out any new patches as and when we become aware of them.