Magento’s latest version release (2.2.0) has brought with it some important security updates that we think you need to be aware of. In a nutshell, those that will be discussed later in this post are:
- Removing serialise/unserialise from most of the code
- Enhanced protection of code
- Increased use of output escaping
As you can see from above, one of the changes they have implemented was removed serialise/unserialise from most of the code to improve website protection against remote code execution attacks. Where object serialisation or unserialisation is unavoidable, enhanced protection of code has been deployed.
Most importantly however, they have taken action to increase their use of output escaping to protect against cross-site scripting (XSS) attacks.
What is an XSS attack?
Cross-site Scripting (XSS refers to a client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application in the context of a user’s browser session. What this means is that this code will most likely have access on all web application objects stored on the user’s browser such as cookies, web page elements, form fields, etc. But not on server side objects such as session objects. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Magento had this to say in their release notes:
“Magento 2.2.0 includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.”
Security researcher Bosko Stankovic found the vulnerabilities and alerted Magento to their existence. As quoted by helpnetsecurity, he says:
The complete attacks described in the advisories (1,2) combine CSRF, stored Cross-Site Scripting and redirection, and require the victim to open the attacker’s page hosting malicious code. Another prerequisite for them is that the “Add Secret Keys to URLs”.
The affected Magento versions are as follows:
Magento CE 1 prior to 184.108.40.206
Magento Commerce prior to 220.127.116.11
Magento 2.0 prior to 2.0.16
Magento 2.1 prior to 2.1.9
Keeping your software up to date with the latest versions is an easy and quick way to help remain free of unwanted activity on your website. Patches are released every few months and so keeping an eye on the Magento Security Centre for updates will benefit you. The security centre also provides you with Magento security news, best practices and the option to report any security issues you may find.
If you are one of the 200,000+ merchants running a Magento based website then I urge you to update your version immediately. It could mean the difference between a safe environment and a crippled business.