Magento released a patch for a critical vulnerability that allowed unauthenticated users to execute PHP code remotely on the server using APIs. Magento gave the vulnerability (CVE-2016-4010) a 9.8 out of 10 severity rating.
“Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs,” Magento Senior Product Manager Piotr Kaminski wrote in thesecurity update. The two APIs are enabled in most installations by default, he added.
Exploit of the vulnerability relies on many small bugs, security researcher Netanel Rubin noted in a blog post detailing the vulnerability. “While granting module developers a convenient way of communicating between the front-end of the system and its back-end, the Web API, using the ‘webapi.xml’ file, also opens another door leading directly into the module’s core.” For the full article click here
from hacker samurai http://ift.tt/1ThBwkm
via IFTTT
No comments:
Post a Comment