A patch has been released to fix a remote code vulnerability in some versions of Magento.
The recently discovered remote code execution vulnerability may allow an attacker with administrative privileges to delete files and folders from a Magento installation through an exploit in the WYSIWYG editor. Magento Enterprise Edition stores from versions 1.6.0.0 through to version 1.13.0.2, and Magento Community Edition stores between 1.4.0.0 and 1.7.0.2 are at risk and should apply the patch detailed below. The vulnerability has been fixed in the latest Magento releases and those operating Magento stores outside the above ranges will not require a patch..
Magento site owners can implement the necessary patch by doing the following:
- SSH to your server and navigate to your Magento base directory
- Execute the following commands:
wget http://pubfiles.nexcess.net/magento/patches/image_patch.sh
sh image_patch.sh
The vulnerability was discovered during Magento’s quarterly penetration testing, with no reports of exploitation in the wild, but all Magento store owners should apply the patch as soon as possible to ensure that their stores remain secure.
