All Magento versions have a critical security vulnerability

  •  


    On February 9th, 2015, the Magento team provided a patch to close a security gap in the Magento core. Many blogs and websites have only recently become aware of this. You won't find any detailed information about the patch. We already reported about it: “ Magento warns of remote code execution exploit ”, but we would now like to give another update.

    The vulnerability allows access to the server
    A serious security flaw was discovered in the Magento Core, learn about the Comparison Between Magento and Shopify, with which it is possible for an attacker to gain access to the entire Magento instance or to save files on the server.

    Magento versions 1.4 to 1.9 affected
    The patch “SUPEE-5344 - Addresses a potential remote code execution exploit” is available for all Magento versions. The patch should be installed as soon as possible if it is not already.

    Import Magento patch
    There are three ways to apply the patch. In rack:: SPEED blog two instructions to find:

    Importing the Magento patch via SSH:

    Download the appropriate patch from Magentocommerce.com (at the bottom)
    Upload the patch to the public_html folder
    sh PATCH- FILENAME.sh
    rm var / cache / * -rf
    Applying the patch without SSH:

    Download the appropriate patch from Magentocommerce.com (at the bottom)
    Open the patch in the text editor
    Manual application of the patch: Lines in the patch with a minus (-) are removed, lines with a plus (+) are added. The file names to be edited are located above the changed lines.
    Clear all caches to apply the changes: System> Cache Management
    Another possibility was published in the Commerce blog, namely to execute the shell commands via PHP (does not work on all server environments):

    Applying the patch with SSH via PHP:

    Download the appropriate patch from Magentocommerce.com (at the bottom)
    Create a PHP file named patch.php
    Insert the following content:
    <? php $ shell command = "sh patch.sh";
    $ shellCommand = escapeshellcmd ($ shellCommand);
    exec ($ shell command, $ nu);
    print_r ($ nu);
    ?>
    Copy the created patch.php together with the downloaded patch.sh file into the root directory of the shop
    Call up the patch.php file via the browser
    Error or success message appears
    Delete both files from the server again