Known vulnerabilities in modules
There are vulnerabilities in modules and extensions.
Modern store systems can often be expanded using modules or plug-ins. Even common functionalities such as payment provider or ERP connections are often implemented via modules. However, modules usually receive updates independently of the store system itself. Particularly with third-party providers, there can sometimes be delays in the provision of updates because the modules may have to be adapted to changes in the store system. Due to the unclear and irregular update cycles, modules may be installed for a long time in versions for which known security vulnerabilities exist. An attackable module then also puts the entire store at risk.
Please note: We only point out known security vulnerabilities in publicly available modules.
We recommend having an experienced Magento developer update modules. Often, special dependencies have to be taken into account (e. g. to the theme or to other modules). This applies even more if individual adjustments have been made to the module functionalities. First, create a backup of your store and use your usual backup methodology for this. Normally it is sufficient to copy the Magento installation directory as well as create a dump of the store database.
If the module was installed manually, the program code of the module is typically located in the
app/code/local directory (or
app/code for Magento 2). Updates of the module from an archive file can then be unpacked directly in the installation directory of the store. Instead of overwriting existing files of the module during unpacking, we recommend renaming the existing directory of the module beforehand, so that no old files remain.
Installation with modman
modman is a tool for managing Magento 1 modules and is common for open source and community modules. If the module was installed with modman, an update can also be done with modman.
modman update <module name>
Special installation methods or composer
In the context of larger stores, a specially adapted deployment is often used, e.g. with composer (PHP package manager) or other tools. In such an environment, the manual installation of an update is often not possible, because by re-triggering the deployment, the update may be undone. In this case, updates for modules must also be performed by the deployment. Therefore, talk to your developers or your agency in any case.
Further recommendations for action
- Please check your store for proper functioning, especially the functionality provided by the updated module.
- After that, remove possibly renamed directories with the old program code (Manual Installation) and make sure that backup files are not located in directories that can be reached via the web server.
- If you encounter difficulties or problems after the update, restore the previous state from the backup and contact your developers or your agency.