Magento Security Patches
-
Security Patches
-
Security Updates and News
- Magento 2.2.6 and 2.1.15
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.16 and 2.1.9 Security Update
- SUPEE-6788 Technical Details
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- Magento 2.0.4 Security Update
- Magento 2.0.6 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- Magento 2.0.14 and 2.1.7 Security Update
Magento Security Patch SUPEE-5344 Shoplift Bug Patch
The Magento Security Patch SUPEE-5344 Shoplift Bug Patch was released on February 19, 2015 to fix a specific exploit called the “shoplift bug.” To verify if your storefront is protected, use the Shoplift Bug Test. Vendors whose Magento suite fails this test should get this patch immediately. Learn more about the shoplift bug and find where you can get this patch.
Benefits of Magento Security Patch SUPEE-5344
Security Patch SUPEE-5344 Shoplift Bug provides protection against one exploit taking over your store:
- Remote Code Execution (APPSEC-921)
Release Information
The Magento Security Patch SUPEE-5344 Shoplift Bug was released to solve an issue present in storefronts. This vulnerability allowed code injection and compromised the store.
Industry best practices in security encourage vendors to keep their sites up-to-date with upgrades and new patches. Contact Forix for specific best practices for both Commerce Edition and Open Source Edition.
Installation
- Partners
Magento partners need to access their portal, choose Technical Resources, and click Download found on the Commerce panel. After this step find Magento Commerce Edition > Patches and Support and select the folder named “Security Patches – February 2015.”
- Magento Commerce Edition Vendors
Magento Commerce Edition users must access their account, navigate to Downloads where they will select Magento Commerce Edition > Support patches. On that page, find the “Security Patches – February 2015” folder to get this important patch. Another option is to upgrade to the current Commerce Edition and upgrade this security fix.
- Magento Open Source Edition Vendors
Vendors should search for security patches for all previous versions of Magento Open Source Edition on that version’s download page (search for SUPEE-5344). Vendors can choose to upgrade to the current Open Source Edition, which includes the Shoplift Bug patch.
Vendors are cautioned to test the implementation of this patch in a developmental environment. This allows them to confirm the patch works as expected prior to production site deployment. Vendors can find information about installing this patch for both Commerce and Open Source editions online
Issues Addressed
The Magento Security Patch SUPEE-5344 Shoplift Bug was released to deal with a specific vulnerability in all versions of Commerce Edition earlier than 1.9.1.1 and Open Source Edition 1.14.2.0.
- Remote Code Execution (APPSEC-921) – Risk Rating: 9.1 Critical
This vulnerability allows an attacker to bypass the authentication stage using a special parameter, which grants the user an Admin action execution. This action provides a vulnerability in which a remote code is injected using SQL. This places the code in the database and executes it. At this point, the attacker can create counterfeit administrator accounts and/or install malware on the server, fully compromising the store.
Download the Magento Security Patch SUPEE-5344 Shoplift Bug
Forix recommends vendors test their stores to see if this patch is installed. For protection from attackers taking over their stores, those lacking the patch can upgrade to the current Magento product version or install the Magento Security Patch SUPEE-5344 Shoplift Bug. Customer support testing for your system or installation regarding this patch is available from Forix. Get this critical update today!
Resources:
https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patch
https://magento.com/security-patch