Internet Performance Delivered right to your inbox

Magento Flaw Continues to Expose Thousands of e-Commerce Sites to Attackers

A recently discovered flaw in the popular e-commerce platform, Magento allows attackers to upload files through a chain of vulnerabilities. Once uploaded, these files could enable the remote execution of a code that could potentially expose the site’s entire database, including content, customer credit card information, and other sensitive data.

A successful attack involves some social engineering. To exploit the vulnerability, an attacker would send a link to the Magento administrator directing them to a malicious website where they would be tricked into downloading a .htaccess configuration file. This file enables PHP execution inside the download directory and the downloading of the malicious PHP file itself.

The PHP script can then be used as a backdoor to access an internal location, enabling the attacker to browse the server directories and retrieve the database password from Magento’s configuration file. With that password, the attacker would then have full access to all database information such as customer card numbers and email addresses that could be used to send SPAM.

Although the vulnerability was first discovered back in November of 2016 during a security audit of Magento Community Edition, the latest version remains unpatched. Oracle Dyn users don’t have to worry.

Oracle Dyn has released a rule protecting platform users from the Magento vulnerability. Our robust threat intelligence blocks any malicious attackers before they have the chance to reach your site and our real-time monitoring alerts you to any suspicious activity.

If you are one of the over 250,000 Magento users out there, don’t go unprotected. Contact us and learn how Oracle Dyn’s platform is designed with e-Commerce security in mind.


Share Now

Whois: Rebecca Carter

Rebecca Carter is a Product Marketing Manager at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn