A patch has been released to fix a remote code execution vulnerability in both Magento Enterprise and Community Editions.
In February, Check Point researchers announced that they released details of the critical RCE (remote code execution) vulnerability in the Magento platform. Checkpoint originally found this exploit back in February and contacted Magento privately regarding the issue. Magento then released a patch (SUPEE-5344) and is available here. The vulnerability is being referred to as Magento Shoplift and could potentially allow an unauthenticated attacker to execute PHP code in an affected server.
Magento has been contacting its clients with details of this vulnerability to both Community and Enterprise versions. If you are running an un-patched vulnerable version of Magento, a message should also be displayed upon logging into your admin interface informing you that patching is needed. This security issue is specific to the Magento core and is unrelated to any specific plugins or themes that you may be running.
Sucuri Security is now reporting that the xploit has been seen in the wild, we would also advise erring on the side of caution and downloading the patch regardless of whether or not your site has been impacted. The importance of this issue can not be overstated, and Magento has emailed customers several times informing them of the vulnerability and urging quick patching.
Instructions for installing the patch are simple. Community edition clients can download the patch from https://www.magentocommerce.com/products/downloads/magento/.
Be sure to grab the correct patch version for your Magento install.
You can download the patch locally then upload the patch to you server.
We have also placed the patches locally for immediate download. They are available at the following locations allowing you to curl or wget them directly:
[ 1.8.x – 1.9.x ]
[ 1.7.x ]
- Log in to your server via SSH:
- Change directory to the root of your Magento install (yourdomain.com/html)
- Execute the patch with the following command where the patch file name matches the version you have downloaded: ‘sh patch_file_name.sh’
Once installed, your magento caches should be flushed and re-compile if you are using the Magento compiler.
We also recommend first testing the patch on your dev environment before placing it live on your production site.
We have actively been assisting our clients to patch their installs as needed. If you need help applying the patch, please open a ticket to us at firstname.lastname@example.org and we will be happy to assist.