site stats

Critical vulnerabilities patched in Magento e-commerce platform


<!–Critical vulnerabilities patched in Magento e-commerce platform Credit:<span></p> <p> Magento<br /> </span></p> </figcaption> </figure> <section class="deck"> <h2>Stored XSS bugs could let hackers hijack administrative accounts</h2> </section> <div class="modal eml-friend-wrapper" id="emailModal"> <div class="eml-ty eml-friend-success"> <i class="ss-icon ss-delete" /></p> <h3>Thank You</h3> <p class="msg-sent">Your message has been despatched.</p> </p></div> <div class="eml-friend-error"> <i class="ss-icon ss-delete" /></p> <h3>Sorry</h3> <p class="msg-sent">There was once an error emailing this page.</p> </p></div> </div> <section class="bodee"> <p>$(‘#” + slotName + “‘).responsiveAd(screenSize:’971 1115’, scriptTags: []);”;<br /> var adDivString = “</p> <p>” + adString + “</p> <p>“;</p> <p> placementDiff = applyInsert($(this), adDivString);<br /> if (debug)<br /> console.log(“Simply positioned an Ad and the placementDiff is: ” + placementDiff);</p> <p> placementTarget = cumulativeHeight + placementDiff + interModuleHeight + adHeightBuffer;</p> <p> else<br /> var moduleDivString = “”;<br /> var elementId = “drr-mod-“+moduleCounter;<br /> moduleDivString = “”;<br /> modules.push(elementId);</p> <p> placementDiff = applyInsert($(this), moduleDivString);<br /> if (debug)<br /> console.log(“Just positioned a module and the placementDiff is: ” + placementDiff);</p> <p> placementTarget = cumulativeHeight + placementDiff + interModuleHeight + moduleHeightBuffer;<br /> moduleCounter++;</p> <p> loopCounter++;</p> <p> // Keep Away From placing Parts too soon due to non-Huge figures inflating the cumulative Height<br /> if ($(this).is(“Figure”) && !$(this).is(“Figure.Huge”))<br /> cumulativeHeight += grafHeight;</p> <p> else<br /> cumulativeHeight += $(this).Height() + grafHeight;</p> <p> );</p> <p> // clone Related Stories module to come in after eighth para in article physique for Cell breakpoint display<br /> var $relatedStories = $(‘.Related-promo-wrapper’);<br /> if ($relatedStories.length)<br /> var $relatedStoriesClone = $relatedStories.clone();<br /> $relatedStoriesClone.insertAfter( “#drr-container > p:eq(7)”); </p> <p> // For Mobile handiest, Position Advert after 2d paragraph.<br /> if (firstMobileAdHtml)<br /> $(firstMobileAdHtml).insertAfter(“#drr-container > p:eq(1)”);</p> <p> var $insiderPromo = $(‘.insider-promo-wrapper’);<br /> if ($insiderPromo.length)<br /> var $insiderPromoClone = $insiderPromo.clone();<br /> $insiderPromoClone.insertAfter( “#drr-container > p:eq(1)”);</p> <p> //Situation left side Component<br /> cumulativeHeight = Zero;<br /> var leftPlacementTarget = tagHeight = leftPlacementTarget)<br /> if (debug)<br /> console.log(“congratulations… now we have handed the preliminary Begin level”);</p> <p> if (leftPlacementIndex == null)<br /> //it is Now Not excellent sufficient to No Longer be a left Steer Clear Of – it additionally is not a </p> <p> with an in an instant preceding small or medium image left Avoid.<br /> if (!isLeftAvoid($(this)) && noPrevFigures($(this)) )<br /> leftPlacementIndex = $(this).index();<br /> $leftPlacementElement = $(this);<br /> leftPlacementLookaheadStart = cumulativeHeight;<br /> if (debug)<br /> console.log(“is just not a left Avoid and no prev figures. ########## set placementIndex (“+leftPlacementIndex+”) and lookaheadStart (“+leftPlacementLookaheadStart+”) ##########”);</p> <p> else<br /> if (debug)<br /> console.log(“is a left Keep Away From or has earlier figures. proceed”);</p> <p> else<br /> if (debug)<br /> console.log(“#### leftPlacementIndex already set to “+leftPlacementIndex+”. taking a look AHEAD…”);</p> <p> //Not null; has been set<br /> if ((cumulativeHeight – leftPlacementLookaheadStart) > leftIntervalHeight)<br /> if (debug)<br /> console.log(“###### THRESHOLD REACHED. LOOKAHEAD FULL. End ###### (cumulativeHeight – leftPlacementLookaheadStart) (“+(cumulativeHeight-leftPlacementLookaheadStart)+”) > leftIntervalHeight (“+leftIntervalHeight+”).”);</p> <p> return false;<br /> else<br /> if (debug) $(this).hasClass(‘aside’) )))<br /> cumulativeHeight += $(this).Peak() + grafHeight;</p> <p> if (debug)<br /> console.log(“——————– set cumulativeHeight(“+cumulativeHeight+”) —————“);<br /> console.log(“”);</p> <p> );</p> <p> if (leftPlacementIndex != null && elementNotNearEnd($leftPlacementElement, leftPixelWindow))<br /> if (debug)<br /> console.log(” insert into index “+leftPlacementIndex);</p> <p> $(“#drr-container”).kids().eq(leftPlacementIndex).ahead of(“</p> <p>“);</p> <p> IDG.GPT.trackOmniture();</p> <p> // Add Proper rail module content material<br /> for (var i=0; i” + adString + “</section> </article> </section> </div> <p>“;</p> <p> perform getEpoParams() report.referrer.indexOf(“bing”) >= 0)<br /> var classes = [2206, 3295, 3471, 3779];<br /> if (categories instanceof Array && categories.length > 0)<br /> var primaryCatId = categories[0];<br /> epoParams += “&catId=” + primaryCatId + “&referrer=search”;</p> <p> else<br /> epoParams += “&typeId=” + defaultTypeId + “&referrer=home”; // default is ‘home’ behavior</p> <p> // Default is to indicate like coming from homepage<br /> else </p> <p> epoParams += “&typeId=” + defaultTypeId + “&referrer=house”;<br /> // default is ‘residence’ behavior</p> <p> return epoParams;</p> <p> /**<br /> * @param jqo Authentic jquery object Goal<br /> * @param divString The div to be inserted.<br /> * @return Difference in Peak between Original placement Goal and ultimate Target.<br /> * Exams first 6 Elements for an allowable placement (600 pixel window).<br /> * If none, Test nearby for Elements that are not Proper avoids.<br /> * If none, Situation Element sooner than current Goal.<br /> */<br /> function applyInsert(jqo, divString)<br /> if (debug)<br /> console.log(“applyInsert at high and jqo index is: ” + jqo.index());</p> <p> for (var i=Zero; i 0)<br /> kids = $(“#drr-container”).kids().slice(jqo.index(), allowElement.index() );</p> <p> else<br /> kids = $(“#drr-container”).youngsters().slice(allowElement.index(), jqo.index());</p> <p> if (youngsters != null)<br /> kids.EACH AND EVERY(perform(i)<br /> if (debug)<br /> console.log(“About so as to add this Part’s Height to heigh diff offset”);<br /> console.log($(this));</p> <p> Height += $(this).Peak() + grafHeight;<br /> );</p> <p> if (offset 300)<br /> if (debug)<br /> console.log(“isRightAvoid: found pre. return authentic”);</p> <p> return proper;</p> <p> if (jqo.is(“Determine”) && jqo.hasClass(‘Large’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered Figure.Large return true”);</p> <p> return proper;</p> <p> if (jqo.is(“Figure”) && jqo.hasClass(‘medium’) && jqo.hasClass(‘inline’))<br /> if (debug)<br /> console.log(“isRightAvoid: found Determine has Type medium and inline.”);</p> <p> return proper;</p> <p> if (jqo.is(‘div’) && jqo.hasClass(‘Table-wrapper’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered div with Category Table-wrapper”);</p> <p> return actual;</p> <p> if (jqo.is(‘aside’))<br /> if (jqo.hasClass(‘sidebar’) && !jqo.hasClass(‘medium’))<br /> if (debug)<br /> console.log(“isRightAvoid: found aside with Category sidebar, without Category medium”);</p> <p> return real;</p> <p> if (jqo.hasClass(‘statsTable’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered aside with Category statsTable”);</p> <p> return genuine;</p> <p> if (jqo.hasClass(‘download-asset’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered Category obtain-asset return proper”);</p> <p> return authentic;</p> <p> if (jqo.hasClass(‘tableLarge’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered Type tableLarge return true”);</p> <p> return authentic;</p> <p> if (jqo.hasClass(‘reject’))<br /> if (debug)<br /> console.log(“isRightAvoid: found Class reject. return genuine”);</p> <p> return actual;</p> <p> if (jqo.is(‘Table’) && jqo.hasClass(‘scorecard’))<br /> if (debug)<br /> console.log(“isRightAvoid: discovered div with Classification scorecard”);</p> <p> return true;</p> <p> return false;</p> <p> // Return authentic if Element has Classification ‘reject’: is not going to Situation drr modules/commercials next to these Parts<br /> operate isRightReject(jqo)<br /> console.log(“in isRightReject”);<br /> if (jqo != null)<br /> if (jqo.hasClass(“reject”))<br /> if (debug)<br /> console.log(“isRightReject: found ‘reject’ Classification”);</p> <p> return genuine;</p> <p> return false;</p> <p> return false;</p> <p> // Returns actual if Height of all Parts after this one is greater than 500; false in any other case<br /> function elementNotNearEnd(Part, pixelWindow)<br /> if (pixelWindow == null)<br /> pixelWindow = 500;</p> <p> if (Component == null)<br /> return false;</p> <p> var remainingHeight = Zero;<br /> var youngsters = $(“#drr-container”).youngsters().slice(Component.index());<br /> if (youngsters == null)<br /> return false;</p> <p> kids.EACH AND EVERY(operate(i)<br /> remainingHeight += $(this).Top();<br /> );<br /> if ( remainingHeight > pixelWindow)<br /> return actual;</p> <p> else<br /> if (debug)<br /> console.log(“Part too just about End. Last Top is: ” + remainingHeight + ” and window is ” + pixelWindow); </p> <p> return false;</p> <p> /**<br /> * Return actual if need to Steer Clear Of this Part when inserting left module.<br /> */<br /> function isLeftAvoid(jqo)<br /> if (jqo.is(“Determine”))<br /> if (debug)<br /> console.log(“isLeftAvoid: discovered Figure. return actual”);</p> <p> return real;</p> <p> if (jqo.is(“aside.pullquote”))<br /> if (debug)<br /> console.log(“isLeftAvoid: found pullquote. return authentic”);</p> <p> return actual;</p> <p> if (jqo.is(“pre”))<br /> if (debug)<br /> console.log(“isLeftAvoid: discovered pre. return genuine”);</p> <p> return proper;</p> <p> if (jqo.is(“div.gist”))<br /> if (debug)<br /> console.log(“isLeftAvoid: discovered github code block. return true”);</p> <p> return authentic;</p> <p> if (jqo.is(“aside”) && jqo.hasClass(“sidebar”) && jqo.hasClass(“medium”))<br /> if (debug)<br /> console.log(“isLeftAvoid: found medium sidebar. return actual”);</p> <p> return proper;</p> <p> if (jqo.hasClass(“statsTable”))<br /> if (debug)<br /> console.log(“isLeftAvoid: discovered Class statsTable. return authentic”);</p> <p> return real;</p> <p> return false;</p> <p> /**<br /> * return genuine if there are not any figures before the Goal placement that may bleed down into placement Part<br /> */<br /> function noPrevFigures($originalTarget)<br /> var targetIndex = $originalTarget.index();<br /> var numElementsLookBack = 5;<br /> var figureIndex = null;<br /> var figureHeight = null;<br /> var startIndex = targetIndex – numElementsLookBack </p> <div id="drr-container"> <p>If You Are operating a web-based keep based on the Magento e-commerce platform, it is a good idea to update it as quickly as imaginable. The Most Recent patches restoration Crucial vulnerabilities that might permit attackers to hijack administrative bills.</p> <p>One problem used to be revealed with the aid of researchers from Net safety agency Sucuri and stems from mistaken validation of e mail addresses within the consumer registration type.</p> <p>The flaw lets in a malicious user to incorporate JavaScript code within the e-mail field, leading to a so-known as Stored go-web site scripting (XSS) attack. The JavaScript code is saved along with the form and is triggered when the consumer account is listed within the website’s Back-Finish panel.</p> <p>The Issue is rated as Critical because the rogue code can hijack an administrator’s authenticated session or can coach his browser to operate a rogue motion on the web site, similar to adding any other administrator account with attacker-supplied credentials.</p> <p>The vulnerability impacts Magento Group Variation prior to Version 1.9.2.Three and Magento Enterprise Version prior to Model 1.14.2.Three. Magento additionally <a href="https://magento.com/security/patches/supee-7405" target="new">launched a patch bundle remaining week known as SUPEE-7405 that can be applied to older versions.</p> <p>The bundle also contains fixes for 19 Different flaws, including a similar Saved XSS issue within the order comments form and one in the processing of the HTTP_X_FORWARDED_FOR header for the buyer’s IP deal with. Other concerns fixed embody knowledge leaks, CAPTCHA bypasses, pass-web site request forgery concerns, malicious file uploads and denial-of-service in opposition to the newsletter perform.</p> <p>Some Of These flaws also impact Magento 2.x CE and EE. Model 2.Zero.1 was released for both variants as a way to address them, together with some Very Important Stored XSS flaws that only exist within the 2.x versions.</p> <p>“Should You’re the use of a inclined Model of Magento, update/patch as soon as that you can imagine,” stated Marc-Alexandre Montpas, the Sucuri researcher who discovered one of the most Saved XSS flaws, in a weblog submit Friday.</p> <p>In Line With the company that develops the e-commerce platform, Magento is utilized by over 200,000 firms, together with many in style model house owners. A 2015 survey of the top 1 million websites with the aid of visitors found that Magento is used by round 30 % of their Online retail outlets, making it the most well-liked e-commerce platform.</p> <p>Magento-primarily based web sites were the Goal of enormous-scale assaults prior to, in order that they symbolize a ravishing Goal for attackers. In October, lots of Online stores working the platform <a href="http://www.pcworld.com/article/2994464/magento-sites-targeted-by-neutrino-exploit-kit.html" target="new">had been infected with the Neutrino make the most package.</p> </div> <div class="byline vcard author end-byline"> <p><img class="bylineImage imgId100258922 " src="http://greattodaynews.com/wp-content/uploads/2016/01/1453744095_lucian_constantin-100258922-byline.jpg" alt="Lucian Constantin" /></p> <p> <!-- end .author-info --></p> </div> <p><!-- blx4 #1218 blox4.html --></p> <div class="article-intercept"> <a href="http://www.cio.com/article/2847396/it-skills/8-free-online-courses-to-grow-your-tech-skills.html#tk.cross_2cio_intrcpt"><br /> <i class="ss-icon ss-navigateright" /><em> From CIO:</em> 8 Free Online Lessons to Develop Your Tech Skills<br /> </a></p> </div> <p> <!-- /.bodee --></p> <section id="funnel"> <section class="popular-brand-cols"> <section class="popular-col"><!-- /.promo --><br /> <!-- ./promo newsletter --></p> </section> <section class="brand-col"> </section> </section> <section class="featured-col"><!-- blx4 #937 blox4.simple --></p> </section> </section> <p> <!-- /role=main --><!-- /#page-wrapper --></p> <footer> <section class="brand"><span class="logo">InfoWorld</span><br /> <span class="tagline"> </span></p> <p> <span class="follow"><br /> <label>Practice us</label><br /> </span></p> </section> <section class="topics"> <nav id="ft1" /> <nav id="ft2" /></section> <section class="about"> </section> <section class="copyright"> <div class="wrapper"> <p>Copyright © 1994 – 2016 InfoWorld, Inc. All rights reserved.</p> <div class="network"> <div id="network-selector"> <p>Discover the IDG Community <i class="ss-icon tick">descend</i></p> </p></div> <p><!-- /#network-selector --> </div> <p><!-- /.network --> </div> <p><!-- /.wrapper --><br /> </section> </footer> <p><!-- Begin welcome ad overlay - gpt-overlay position --><br /> <!-- End welcome ad overlay - gpt-overlay position --></p> <p> <!-- Begin gpt-skin/gpt-pin/inread --></p> <p> <!-- End gpt-skin/gpt-pin/inread --> </p> <p><!-- Begin BlueKai Tag --></p> <p><!-- CryptoJS --></p> <p><!-- End BlueKai Tag --></p> <p><!-- BEGIN Krux Control Tag for InfoWorld --></p> <p><!-- END Krux Controltag --></p> <p><!-- START Nielsen Online SiteCensus? V6.0 --><br /> <!-- COPYRIGHT 2010 Nielsen Online --></p> <p><!-- END Nielsen Online SiteCensus? V6.0 --></p> <p><!-- SiteCatalyst code version: H.26.2. Copyright 1996-2013 Adobe, Inc. All Rights Reserved More info available at http://www.omniture.com --></p> <p><img src="http://idgenterprise.d1.sc.omtrdc.net/b/ss/infoworld-production/1/H.25--NS/0" height="1" width="1" border="0" alt="" /><!--/DO NOT REMOVE/--><br /> <!-- End SiteCatalyst code version: H.26.2. --></p></div> <p><br /> <br /><a href="http://www.infoworld.com/article/3026174/security/critical-vulnerabilities-patched-in-magento-e-commerce-platform.html#tk.rss_all">Supply link </a></p> <div class="clear"></div> </div><!-- /entry --> <div id="comments"> <p> You must be logged in to post a comment <a href="http://greattodaynews.com/wp-login.php?redirect_to=http%3A%2F%2Fgreattodaynews.com%2Fcritical-vulnerabilities-patched-in-magento-e-commerce-platform%2F"> Login </a> </p> </div><!-- #comments --> </div><!-- /main --> <div id="sidebar"> <div class="sidebarinner"> </div><!-- .sidebarinner --> </div><!-- /sidebar --> </div><!-- /container --></div><!-- end of wrapper --> <div id="footer"> <div id="foo_widget1"> <div id="flickr-widget-3" class="widget flickr_widget"><div class="widgetinner"><h3 class="widgettitle">Flickr Photo Stream</h3> <script type="text/javascript" src="http://www.flickr.com/badge_code_v2.gne?count=10&display=random&layout=x&source=all_tag&tag=&size=s"></script><div class="clear"></div></div></div> </div> <div id="foo_widget2"> <div id="recent-posts-3" class="widget widget_recent_entries"><div class="widgetinner"> <h3 class="widgettitle">Recent Posts</h3> <ul> <li> <a href="http://greattodaynews.com/arkansas-panel-clears-way-for-new-ten-commandments-marker/">Arkansas panel clears way for new Ten Commandments marker</a> </li> <li> <a href="http://greattodaynews.com/toni-mascolo-co-founder-of-salon-chain-toni-guy-dies/">Toni Mascolo, co-founder of salon chain Toni & Guy, dies</a> </li> <li> <a href="http://greattodaynews.com/port-authority-bomber-brought-down-by-officers-with-military-training/">Port Authority bomber brought down by officers with military training</a> </li> <li> <a href="http://greattodaynews.com/fancy-a-cup-how-technology-is-affecting-what-and-how-you-drink/">Fancy A Cup? How Technology Is Affecting What And How You Drink.</a> </li> <li> <a href="http://greattodaynews.com/facebook-to-book-advertising-revenue-locally-amid-political-pressure/">Facebook to book advertising revenue locally amid political pressure</a> </li> </ul> </div></div> </div> </div> <div id="footer_data"> <ul class="footerpages"> <li class="first"><a href="http://greattodaynews.com/" title="Great Today News">Home</a></li> <li class="page_item page-item-6"><a href="http://greattodaynews.com/privacy-policy/">Privacy Policy</a></li> <li class="page_item page-item-195"><a href="http://greattodaynews.com/contact/">Contact Us</a></li> <li class="page_item page-item-198"><a href="http://greattodaynews.com/video-gallery/">Video Gallery</a></li> <li class="page_item page-item-201"><a href="http://greattodaynews.com/sitemap/">Sitemap</a></li> <li><a rel="nofollow" href="http://greattodaynews.com/feed/">RSS</a></li> <li class="right"><a href="#top" title="Great Today News" rel="home"><strong>↑</strong> Great Today News</a></li> </ul> <div class="clear"></div> <p id="footer-left-side"> <a href="http://greattodaynews.com/" title="Great Today News" rel="home">Great Today News</a> </p><!-- #site-info --> <p id="footer-right-side"> <a href="http://greattodaynews.com/wp-login.php">Log in</a> - Designed by <a href="http://www.greattodaynews.com/" title="Today News">Today News</a> <script type='text/javascript' src='http://greattodaynews.com/wp-includes/js/comment-reply.min.js?ver=4.8.4'></script> <script type='text/javascript'> /* <![CDATA[ */ var wpcf7 = {"apiSettings":{"root":"http:\/\/greattodaynews.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"},"recaptcha":{"messages":{"empty":"Please verify that you are not a robot."}},"cached":"1"}; /* ]]> */ </script> <script type='text/javascript' src='http://greattodaynews.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=4.9'></script> <script type='text/javascript' src='http://greattodaynews.com/wp-includes/js/wp-embed.min.js?ver=4.8.4'></script> </p> <!-- #footer-right-side --> </div><!-- /footer_data --> <div class="hide"> <div id="adv_here"> <h3 class="widgettitle">Widgetized Section</h3> <p>Go to Admin » appearance » Widgets » and move a widget into Advertise Widget Zone</p> </div> </div> <!-- Quantcast Tag --> <script type="text/javascript"> var _qevents = _qevents || []; (function() { var elem = document.createElement('script'); elem.src = (document.location.protocol == "https:" ? "https://secure" : "http://edge") + ".quantserve.com/quant.js"; elem.async = true; elem.type = "text/javascript"; var scpt = document.getElementsByTagName('script')[0]; scpt.parentNode.insertBefore(elem, scpt); })(); _qevents.push({ qacct:"p-XSTdT3wyH_FGD" }); </script> <noscript> <div style="display:none;"> <img src="//pixel.quantserve.com/pixel/p-XSTdT3wyH_FGD.gif" border="0" height="1" width="1" alt="Quantcast"/> </div> </noscript> <!-- End Quantcast tag --> </body> </html> <!-- Performance optimized by W3 Total Cache. Learn more: https://www.w3-edge.com/products/ Page Caching using disk: enhanced Served from: greattodaynews.com @ 2017-12-12 21:49:13 by W3 Total Cache -->