Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. This critical flaw in the Magento eCommerce platform exposes online shops to serious risk by allowing malicious hackers to access credit card data or execute arbitrary PHP code on the web server. This vulnerability should be considered a high risk factor for businesses making use of the Magento platform, and should be addressed as a matter of priority.
Our SaaS scanning platform has already written a plugin to detect this vulnerability
eBay has made a patch available to remediate this issue, which is available here:
One of the things we like to do at Sec-1 is contribute back to the community wherever possible. As full time Penetration Testers, we often perform Research and Development to identify new vulnerabilities, adding checks to our scanning tools to help organisations highlight areas of concern.
As well as this, we often create tools to aid the rest of our teams and to contribute back to the pen testing and general security community.
Recently, one of Sec-1’s penetration testers, Matthew Hall, made a significant contribution to the Metasploit project.
As of the 1st Jan 2015 you cannot validate against PCI DSS Version 2 and must submit all validations against PCI DSS Version 3.0.
With this in mind we’ve produced an insightful new 8-page ‘Christmas-themed’ whitepaper, written by a Sec-1 Ltd Qualified Security Assessor (QSA): PCI DSS 3.0: A Christmas Carol.
‘Government Supply Chain to use Cyber Essentials to better manage the security risks presented by third parties.’
Cyber Essentials is the Governments standard to encourage UK companies to attain a minimum level of security. Importantly, as of the 1st October 2014 any organisation bidding on projects published after this date will have to demonstrate that they comply with the standard.
Over 50,000 websites have been compromised within the first three weeks following the disclosure of a critical vulnerability in the MailPoet plugin (formerly known as Wysija Newsletter) for WordPress.
The vulnerability allows the attacker to upload any content including PHP script files to the server without authentication. Successful exploitation of the vulnerability allows the attacker to execute code on the WordPress system and take complete control of the website.
The popularity of the plugin (over 1.7 million downloads) has attracted the attention of Malware authors who have already seized the opportunity to create a worm designed to propagate via vulnerable WordPress systems .
The initial patch for the vulnerability failed to correctly fix the problem, therefore we recommend that users of the software apply the 2.6.9 update, even if patches were applied following the initial disclosure.
Scanning WordPress with AppCheck NG
The AppCheck NG system has a dedicated WordPress module designed to identify vulnerable plugins and configuration weaknesses.
Sign up now for a free trial to scan your web sites and application; Register HERE
Download Appcheck NG Brochure; Brochure Download
Download Appcheck NG Sample Report; Example Appcheck NG Webscan
An exploit for the vulnerability has been published for the Metasploit Framework; Exploit Link
 Malware Infection; link
 Original Advisory; link