Hackers publish details on critical Magento flaw
The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.
PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.
Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.
This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit. ..Read More..