Magento Security Patch SUPEE-5344 Shoplift Bug Patch

The Magento Security Patch SUPEE-5344 Shoplift Bug Patch was released on February 19, 2015 to fix a specific exploit called the “shoplift bug.” To verify if your storefront is protected, use the Shoplift Bug Test. Vendors whose Magento suite fails this test should get this patch immediately. Learn more about the shoplift bug and find where you can get this patch.

Benefits of Magento Security Patch SUPEE-5344

Security Patch SUPEE-5344 Shoplift Bug provides protection against one exploit taking over your store:

  • Remote Code Execution (APPSEC-921)

Release Information

The Magento Security Patch SUPEE-5344 Shoplift Bug was released to solve an issue present in storefronts. This vulnerability allowed code injection and compromised the store.

Industry best practices in security encourage vendors to keep their sites up-to-date with upgrades and new patches. Contact Forix for specific best practices for both Commerce Edition and Open Source Edition.

Installation

  • Partners
    Magento partners need to access their portal, choose Technical Resources, and click Download found on the Commerce panel. After this step find Magento Commerce Edition > Patches and Support and select the folder named “Security Patches – February 2015.”
  • Magento Commerce Edition Vendors
    Magento Commerce Edition users must access their account, navigate to Downloads where they will select Magento Commerce Edition > Support patches. On that page, find the “Security Patches – February 2015” folder to get this important patch. Another option is to upgrade to the current Commerce Edition and upgrade this security fix.
  • Magento Open Source Edition Vendors
    Vendors should search for security patches for all previous versions of Magento Open Source Edition on that version’s download page (search for SUPEE-5344). Vendors can choose to upgrade to the current Open Source Edition, which includes the Shoplift Bug patch.

Vendors are cautioned to test the implementation of this patch in a developmental environment. This allows them to confirm the patch works as expected prior to production site deployment. Vendors can find information about installing this patch for both Commerce and Open Source editions online

Issues Addressed

The Magento Security Patch SUPEE-5344 Shoplift Bug was released to deal with a specific vulnerability in all versions of Commerce Edition earlier than 1.9.1.1 and Open Source Edition 1.14.2.0.

  • Remote Code Execution (APPSEC-921) – Risk Rating: 9.1 Critical
    This vulnerability allows an attacker to bypass the authentication stage using a special parameter, which grants the user an Admin action execution. This action provides a vulnerability in which a remote code is injected using SQL. This places the code in the database and executes it. At this point, the attacker can create counterfeit administrator accounts and/or install malware on the server, fully compromising the store.

Download the Magento Security Patch SUPEE-5344 Shoplift Bug

Forix recommends vendors test their stores to see if this patch is installed. For protection from attackers taking over their stores, those lacking the patch can upgrade to the current Magento product version or install the Magento Security Patch SUPEE-5344 Shoplift Bug. Customer support testing for your system or installation regarding this patch is available from Forix. Get this critical update today!

Resources:
https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patch
https://magento.com/security-patch