Magento Forum

   
Reflective XSS Vulnerability discovered in latest version of Magento
 
jclawson
Jr. Member
 
Total Posts:  2
Joined:  2009-01-06
 

I won’t post the actual vuln here so I can give you guys a chance to fix it first.  Please let me know where I can send the details.  This attack vector was discovered by the Qualys WAS product (Qualys WAS Product).  I refined the vector a little so its simpler to execute.  I can cause any Magento installation to execute an arbitrary javascript payload.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Out of interest, did Varien contact you about this?

 
Magento Community Magento Community
Magento Community
Magento Community
 
jclawson
Jr. Member
 
Total Posts:  2
Joined:  2009-01-06
 

yes.  I recommend using the re-captcha extension in order to mitigate this vuln until it is patched.

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

thanks for the heads up!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top