Release 2015-05-27: New Magento exploits and the start of workflow capabilities


You are now starting to see some of results of the updated backend. The introduction of the first step towards a workflow tool with tags. We did include multiple Magento specific vulnerabilities. Our phpMyAdmin modules also got an update.

Workflow

The plan forward is to make Detectify an integrated part of the workflow. It will be possible to flag, export and assign individual findings. The first step is that you are now able to mark individual post at resolved. Work your way down the list of vulnerabilities and improve the security of for web app.

Magento vulnerabilities

Multiple Magento-specific vulnerabilities were included in this release. Some of the included are:

  • Magento Shoplift SQL Injection
  • Magento SWF “bridgeName” XSS
  • Magento MAGMI XSS & LFI
  • Magento Admin Panel XSS’es

The Shoplift vulnerability allows a remote attacker to gain full control over the target system and impacts almost two hundred thousand Magento e-commerce shops. We’ve added a test to spot vulnerable installations. If you run a Magento e-commerce website run at test with Detectify. Visit http://magento.com/security-patch for further information

phpMyAdmin updates

phpMyAdmin is still one of the most common tools for administrating MySQL on the internet, and many people forget to update it. We’ve massively improved our collection of exploits towards older PMA installations. Some of the updates are:

  • phpMyAdmin Remote Code Execution through setup.php
  • phpMyAdmin “ServerSync” Backdoor
  • phpMyAdmin Directory Listing through db_details_importdocsql.php
  • phpMyAdmin Local File Inclusion through export.php
  • phpMyAdmin Local File Inclusion through grab_globals.lib.php

 

Just login and run a new scan to check it out!



Source link