Over 300,000 ecommerce websites have been exposed to remote code execution, SQL injection and cross-site scripting. While many of almost three dozen vulnerabilities can be exploited only if attackers authenticate themselves on an ecommerce website, one of these vulnerabilities that allows an attacker to carry out SQL injection does not require any authentication on part of the attacker.
By carrying out SQL injection in a targeted ecommerce website that uses Magentos commercial or open source platform, attackers can inject their own commands to an SQL database and transfer sensitive data available on the database to a remote server. Such data may include credit card numbers and other personal details of people who made online purchases on the targeted site.
To patch these vulnerabilities, Magento has rushed in three new versions of its code-Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17- to prevent hackers from carrying out SQL injection to gain access to sensitive data.
Ilia Kolochenko, CEO of High-Tech Bridge, said that unless ecommerce platforms immediately patch their applications with the latest patches issued by Magento, the SQL injection flaw could lead to one of the most disastrous web hacking campaigns. The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen, he warned.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now