Skip to main content Skip to footer

PRODSECBUG-2198 A Serious Risk to your Online Store

An important Magento security announcement has alerted us to a weakness in some older versions of the platform. The announcement calls for Magento store owners to urgently upgrade their sites to avoid being hacked or losing money.

Another reason to hurry; an example of how to perform an exploit on an unpatched Magento shop has been published online.

Ugly in name, the PRODSECBUG can be even uglier indeed. It provides bad actors with an easy to access backdoor into a store's database, which then allows virtually open access to all store data. Other exploits around this vulnerability focus on the payment gateway connections emanating from the store database. Thus is may be possible for a hacker to even go as far as to create and fulfil his own orders.

Specific Magento Versions Affected

Version 1 Magento - all versions older than:

  • 1.9.4.1
  • 1.14.4.1 for Magento Commerce

Version 2 Magento - all versions older than:

  • 2.1.17
  • 2.2.8
  • 2.3.1

Technical Details

The bug was discovered by a security engineer who has the exciting job of sniffing around online platforms to look for undiscovered holes in security and data protection. His name is Charles Fol. He lives in France and is a prolific detector of security issues, having discovered holes in PrestaShop and Drupal.

Although in his original article (URL below) Foll mentioned that the bug affected only Magento 2.x versions, Magento later released patches for 1.x versions as well.

Sadly Charles claims that he found more than one security flaw. The first which is the SQL injection bug mentioned in this article, the next one may soon follow.

Patch Release

The update to fix the xx error was released by Magento on the 26th of March this year, you can find it here

This patch also fixes a number of other issues.

We strongly suggest that this update should be applied as soon as possible. Contact us if you need help with patching your system.