Just a moment...

WebForms extension exploit: are you protected?

Magento has released a new patch that covers critical vulnerabilities.
WebForms is a popular extension to add more robust forms functionality to Magento sites. Unfortunately, attackers are abusing an outdated version to upload and execute PHP scripts. This can result in stolen credit card details, customer and transaction lists, and even being locked out of your own store.
Anyone using WebForms Pro 2.7.6 or older should update the extension immediately, to version 2.7.9. 

WebForms sent out the following information about the update process and ways to protect your store:

WebForms Pro Security Update

If you have WebForms version installed older than 2.7.6 please take action!
It has been recently discovered that WebForms extension can cause vulnerability on certain system configurations with Magento 1 platform installed.

If your server is running Apache 2.4, Nginx or PHP 7 you are strongly advised to download WebForms 2.7.7 update from your account area My Downloadable Products section.
The update contains new file upload scan to block possible script files from being uploaded to the server.

If you have a customized version of WebForms or performing the update is problematic, please remove the following directory:
/js/webforms/upload

It is a safe operation as it doesn’t affect any major functionality. This folder is present in current version of WebForms but will be removed in future updates.
If you have forms with file upload fields please limit allowed file extensions.”

We strongly recommend that all Magento site owners check for and patch this vulnerability right away. If you have any questions about whether your store is at risk or how to update the extension, we’re standing by to help.

Artur October 18, 2016


Read This Next:




Just a moment...
Just a moment...