Sorry mach es mall hier drin, teils gibt es COMSEO KUNDEN oder Partner die .... wen Updates zu spät kommen oder auf sich warten lassen, besser dass dan so etwas >>
http://arstechnica.com/security/2016/…sk-of-takeover/
Ein wirklich blöde anfänger fehler xss Lücke
Bug in Magento puts millions of e-commerce sites at risk of takeoverExploits are as easy as embedding malicious JavaScript in registration forms.
We were right! We just triggered an XSS in Magento Core.
As you can see from the above snippet, the template appends the getCustomerEmail method’s return value to the administration panel. This snippet looked similar to what we found in a bug within the WordPress Jetpack plugin a couple months ago. With that in mind, we investigated the type of validation mechanisms Magento used to check whether a given string is an email or not.
This is what we found:
It accepts two different forms of emails:
Regular ones, similar to what we had found in WordPress (no double quotes, no ‘<‘ sign, etc.)
Quoted string format, which accepts pretty much any printable characters (except for space characters, where it only allows regular spaces to be used) as long as it’s surrounded by two double-quotes
This meant that, in theory, we could use an email like “><script>alert(1);</script>”@sucuri.net as our client account’s email, submit an order and see what happens when an administrator checks our order in the administration panel .