Magento platform is a popular eCommerce framework used by the organisation all over the world to create the Online shops.
The researchers from Check Point discovered the critical security issues, which could potently allow the remote compromise of a Magento based web site and gaining unauthorized access to the customer and credit card information. See the full post here: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/ . The vulnerability is currently affecting thousands of online stores.
Technical Details
Three vulnerabilities were discovered by the Check Point team:
CVE-2015-1398 - An authentication bypass vulnerability was reported in Magento component. The vulnerability is due to a user controlled parameter affecting the login mechanism. A remote attacker can exploit this issue by sending a specially crafted HTTP request to a vulnerable system. Successful exploitation may allow the attacker to gain access to a target system.
CVE-2015-1397 - An SQL injection vulnerability has been reported in Magento component. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
CVE-2015-1399 - A remote file inclusion vulnerability has been reported in Magento component. The vulnerability is due to lack of sanitization for user-supplied data. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
What should you do
Check your Magento implementation using our Trial Web Site Assessment Service and see if you are vulnerable. If yes, apply the designated patch SUPEE-5344 released by Magento as soon as possible.