The patching of two flaws – one being critical – is the final security update for Magento 1
Magento has urged users of the Magento Commerce 1 and Magento Open Source 1 e-commerce platforms to apply the latest updates following the discovery of two security vulnerabilities.
The most serious, critical flaw is a PHP object injection bug that could lead to arbitrary code execution.
Rated as ‘important’, the other vulnerability is a stored cross-site scripting (XSS) flaw that, if exploited, could trigger the disclosure of sensitive information.
Both flaws require administrative privileges to execute.
‘Relatively easy to exploit’
“PHP object injection bugs are issues related to how input is dealt with and, in this case, providing (in essence) PHP code will make the server execute it,” Yonathan Klijnsma, head of threat research at RiskIQ, told The Daily Swig.
“It gives attackers the ability to run PHP code on the server, meaning they would have broad access, hence why it is classified as a critical vulnerability.
“Similar vulnerabilities have occurred in platforms such as WordPress, and come down to how input is serialised – in many cases these are relatively easy to exploit.”
READ MORE WordPress security release addresses multiple XSS vulnerabilities
In a security advisory published on Monday (June 22), Adobe said the updates would be the final security patches for the affected release line because it was discontinuing support for Magento 1 from June 2020.
The pair of vulnerabilities are present in all versions of Magento Commerce 1 (formerly Magento Enterprise Edition) and Magento Open Source 1 (previously Magento Community Edition) up to and including 1.14.4.5.
The latest version of Magento Commerce 1 can be downloaded from within the user’s account, while Magento Open Source 1 can be obtained from the open source downloads page.
Adobe thanked Luke Rodgers for reporting the security flaws.
‘Transition plans’
In a separate blog post published on Wednesday (June 24), the software giant said: “We’ve been working closely with customers, partners, and developers on transition plans through the Magento 1 [end-of-life] timeline.”
The decision to retire support for the 12-year-old release line was announced in September 2018.
RECOMMENDED Magecart: How a single skimming case evolved into widespread credit card theft
According to Adobe, “thousands of merchants” have already migrated to Magento 2, which is said to be easier to maintain and support.
Merchants who haven’t yet migrated are advised to do as soon as possible.
“If you need fast solutions to launch a Magento Commerce 2 store in as little as two weeks, please contact your Magento Customer Success Manager,” Adobe said.
Retailers whose online stores continue to run on Magento 1 after June 30 end-of-life date will “have increased responsibility for maintaining [their] site’s security and PCI DSS compliance”.
RELATED Bitdefender patches remote code execution flaw in antivirus software
