image

Known vulnerabilities in modules

There are vulnerabilities in modules and extensions.

Details:

Modern store systems can often be expanded using modules or plug-ins. Even common functionalities such as payment provider or ERP connections are often implemented via modules. However, modules usually receive updates independently of the store system itself. Particularly with third-party providers, there can sometimes be delays in the provision of updates because the modules may have to be adapted to changes in the store system. Due to the unclear and irregular update cycles, modules may be installed for a long time in versions for which known security vulnerabilities exist. An attackable module then also puts the entire store at risk.

Please note: We only point out known security vulnerabilities in publicly available modules.

Solutions

We recommend having an experienced Magento developer update modules. Often, special dependencies have to be taken into account (e. g. to the theme or to other modules). This applies even more if individual adjustments have been made to the module functionalities. First, create a backup of your store and use your usual backup methodology for this. Normally it is sufficient to copy the Magento installation directory as well as create a dump of the store database.

Manual installation

If the module was installed manually, the program code of the module is typically located in the app/code/local directory (or app/code for Magento 2). Updates of the module from an archive file can then be unpacked directly in the installation directory of the store. Instead of overwriting existing files of the module during unpacking, we recommend renaming the existing directory of the module beforehand, so that no old files remain.

Installation with modman

modman is a tool for managing Magento 1 modules and is common for open source and community modules. If the module was installed with modman, an update can also be done with modman.

modman update <module name>

Special installation methods or composer

In the context of larger stores, a specially adapted deployment is often used, e.g. with composer (PHP package manager) or other tools. In such an environment, the manual installation of an update is often not possible, because by re-triggering the deployment, the update may be undone. In this case, updates for modules must also be performed by the deployment. Therefore, talk to your developers or your agency in any case.

Further recommendations for action
  • Please check your store for proper functioning, especially the functionality provided by the updated module.
  • After that, remove possibly renamed directories with the old program code (Manual Installation) and make sure that backup files are not located in directories that can be reached via the web server.
  • If you encounter difficulties or problems after the update, restore the previous state from the backup and contact your developers or your agency.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
image
image