Magento Patch SUPEE-11086

Ready to patch your Magento shop again? There is a new patch called SUPEE-11086 out that fixes current reported bugs and security problems.

Magento Patch SUPEE-11086

Magento is now released in Version 1.9.4.1 with lots of security related updates. The patch is related to a major SQL injection leak that was detected for Magento 2. All reported problems are now fixed with this update. A detailed list of problems can be found on Magento homepage.

The good

The good news are, that there are currently no known attacks that use this security leaks. That does not mean, that there are none. A massive SQL injection was fixed. With it it was possible to read whole Magento 1 database and to change values. The other fixes are related to remote code execution to change your PHP code files. With both in mind someone is able to completely change your shop.

The bad

As soon as Magento released this update it is quite simple to create an attack. You are able to see which lines of code are fixed and create an attack for not patched systems. As always it is very important to patch your shop as soon as possible.

How to install

In an older post I already showed how to install patches. The process is quite simple, but sometimes it can crash your production environment. To be safe always test an update on your development environment and use a versin control software like git.

Conclusion

SQL injections are a big problem to all web based programs, so for each online shop. There are many different technologies to prevent SQL injections, but lazy testing and updates often results in new security problems. The recent ones are fixed now, but watch out for new problems! Install new patches immediatelly.

What do you think about current patch? Do you discovered problems?