Magento Forum

   
Magento Ecommerce Critical Security Issue
 
notsosecure
Jr. Member
 
Total Posts:  1
Joined:  2010-11-24
 

A critical security issue has been fixed in the latest version of Magento. The issue is a Persistent Cross Site Scripting in the admin screen which can be triggered from any user who follows the registration functionality. This would result in *complete* compromise of the CMS as an intruder can hijack Admin’s session and thus fully compromise the shop.

More details about this issue can be found here:

Magento Persistent XSS

I would strongly urge everyone to update/patch

 
Magento Community Magento Community
Magento Community
Magento Community
 
wmcferr
Sr. Member
 
Total Posts:  174
Joined:  2010-11-16
 

Sounds good!

 
Magento Community Magento Community
Magento Community
Magento Community
 
chiefair
Mentor
 
Avatar
Total Posts:  1839
Joined:  2009-06-04
 

So, is there any particular file(s) that can be patched to clip this thing in the wings? Looks like it’s mostly a user input filtration issue which if Magento code has been modularized enough, should allow us to attack the issue with a few selective edits.

Upgrades can be problematic if your site has been customized, am currently in template rewrites to bring the templates up to 1.4.1.1 level, even though they were developed on 1.3.1.1 and mostly worked with some major issues that had to be repaired. Since 1.4.2.0 is a release candidate, it’s nice to say we should upgrade, but I’ve been there once too often to be stampeded into killing my live site and losing revenue. If the community and Magento know specific changes that can be made, it would be better to patch for security reasons.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gmihai
Jr. Member
 
Total Posts:  4
Joined:  2008-12-23
 

In version 1.3.2.3 i think it’s in the code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Country.php on line 47 where it returns the country name unescaped.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top