Patching the magento shoplift vulnerability
April 25, 2015
A vulnerability coming out for a major CMS is always a big deal. Working for a fairly big hosting company however makes it about 9000 times worse. It must be a scary moment when you log into the admin area of your website and get a big pop up letting you know you need to patch against some critical issues that put you and all your customers at risk.
Shame it took Magento 2 months to do that.
The Magento 'shoplift' vulnerability has been covered extensively elsewhere, so there's not much point in further rambling on about it here. Suffice to say, I think there's been a fairly terrible response from Magento. Shipping unpatched versions of your code when you're got a share of the market this size sounds practically criminal. Putting the necessary patches behind a login wall is just an extra kick in the ribs.
I cobbled the following script together mainly for use in house, as some people run 50+ magento sites on one server and going through manaually selecting, downloading and applying patches to them wasn't something I was in a rush to do.
There are a few similar scripts out there already, but they all seemed to have limitations in some way, as they only worked on one particular kind of environment. Maybe they assumed you kept all your websites in /home/www/*/htdocs, that all your servers were on Ubuntu (God forbid) or that all your magento versions were identical. I didn't really have that luxury, so I wrote this with the aim of hopefully ferreting out all the magento installs on a server and applying patches to any version, regardles of OS. I'm not meaning to say that it's perfect, far from it, but it seems to get the job done.
You can find it on my github here:
https://github.com/zyio/magento-shoplift-autopatcher
As the readme says, the general idea is to run main.sh as root, like so:
bash main.sh
For anyone who trusts me for some reason, or just likes executing arbitrary bash straight from the internet, you can run it like this:
curl -s https://raw.githubusercontent.com/zyio/magento-shoplift-autopatcher/master/main.sh|bash
We'll save that argument for another day.
It's fairly well commented, so hopefully it's relatively clear what's going on.
As ever, any questions/comments, please drop me a mail. Details should be on the about page