Showing 2 results for: October 2015 ×ModSecurity ×

Zero-day in Magmi database client for popular e-commerce platform Magento targeted in the wild

Magento is the most popular e-commerce platform owned by eBay since 2011. We illustrate how a severe security flaw can be introduced into a Magneto based e-commerce system, when installing a commonly used vulnerable version of the open-source Magmi utility and failing to change the default security configuration. The appearance of HTTP requests attempting to exploit this vulnerability in the wild indicates that some bad actors are onto this method as well. Once successful, the attacker gains the Magento site credentials and the encryption key for the Magento database.