What Is Magento Security Patch – SUPEE-5994

A security patch SUPEE-5994 for Magento has been released on 14/May/2015, What has been changed and any known exploits for Magento ?

Magento released a new security patch – SUPEE-5994 with multiple critical security fixes. Patch SUPEE-5994 addresses a range of issues, including scenarios where attackers can gain access to customer information.

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Admin Path Disclosure
    An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
  2. Customer Address Leak through Checkout
    Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.
    During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.
    This attack can be fully automated, and a functional proof of concept exists.
  3. Customer Information Leak through Recurring Profile
    This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers.
    The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.
    This attack can be fully automated, and a manual proof of concept exists.
  4. Local File Path Disclosure Using Media Cache
    Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
  5. Cross-site Scripting (XSS) Using Magento Downloader
    This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
  6. Cross-site Scripting (XSS) Using Magento Downloader
    This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
  7. Spreadsheet Formula Injection
    Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
  8. Cross-site Scripting Using Authorize.Net Direct Post Module
    Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.
  9. Malicious Package Can Overwrite System Files
    Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments