Magento released a patch for a critical vulnerability that allowed unauthenticated users to execute PHP code remotely on the server using APIs. Magento gave the vulnerability (CVE-2016-4010) a 9.8 out of 10 severity rating.
“Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs,” Magento Senior Product Manager Piotr Kaminski wrote in the security update. The two APIs are enabled in most installations by default, he added.
Exploit of the vulnerability relies on many small bugs, security researcher Netanel Rubin noted in a blog post detailing the vulnerability. “While granting module developers a convenient way of communicating between the front-end of the system and its back-end, the Web API, using the ‘webapi.xml’ file, also opens another door leading directly into the module’s core.”
Rubin was previously a researcher at Check Point Software, where he was part of the security team that discovered another vulnerability affecting Magento that allowed attackers to steal customers’ credit card details and personal information from online stores. The earlier vulnerability, discovered a year ago, was quickly exploited by criminals groups.
[An earlier version of this story incorrectly stated that Magento is owned by eBay. The e-commerce platform was sold by eBay to private equity firm Permira in a transaction that closed in November 2015.]