24 October 18, 17:23
Quote:Magecart hackers are exploiting a long list of zero-day vulnerabilities in popular store extension software to inject the digital skimming code into targeted e-commerce sites, according to new research.
Dutch security consultant Willem de Groot revealed this week that the attackers had amassed a large number of Magento extensions which contained PHP Object Injection (POI) vulnerabilities.
“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files,” he explained.
“As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”
Source: https://www.infosecurity-magazine.com/ne...t-magento/