Magento & X-Cart SQL Injection Vulnerabilities

Both Magento and X-cart ecommerce platforms have recently identified a potential SQL injection issue in their platform code and have released security patches to fix the issue. Find out all about the issue below and ensure you get in touch if you would like us to check whether your website is affected.

What is an SQL injection?

SQL injection is one of the most common web hacking techniques. Through an SQL injection a hacker can access your entire website database, download sensitive data, manipulate the data and even destroy data. Whether you have current backups of your database or not, this can have a huge impact on the running of your business. Via your database a hacker could get access to your entire customer list which could be used for extortion, to sell to competitors or to simply ruin your company's reputation with your customers. Plus of course there's often a huge expense (for cyber security and legal teams) required for the disclosure to affected individuals required by Australian Law.

Is my site affected?

Various version of Magento and X-cart have been identified as containing this security flaw. The Magento versions affected range between versions 1.9.0.0 to 1.14.3.5 and 2.1.0 to 2.3.0. You can find a detailed list here or simply get in touch with your account manager or contact us online to have us confirm whether your current version is affected.

The X-cart versions affected are versions 4.4.0 and higher. You can check your current version by logging into your admin panel and navigating to Tools > Summary or simply get in touch with your account manager or contact us online to have us confirm whether your current version is affected.

How important is it to patch this issue?

It is extremely important that you have the security patches applied to your website if your website platform version is in the list of affected versions. Not patching the issue leaves you vulnerable to an SQL injection attack. Hackers will often target well known platforms with identified security vulnerabilities because it's easy for them to find the exploits and cause damage.

How can I patch my site?

We would suggest having your website developer apply the patches for you. It is important that they are applied in a staging environment first to ensure that they work correctly with your website. Once the patches are applied and tested thoroughly they can then be deployed to the live environment. If you would like us to apply the patches for you simply get in touch with your account manager or contact us online.