Magento “PolyShell” File Upload Vulnerability
Incident
Report for Liquid Web - Services
Resolved
We have taken steps to prohibit execution of files exploiting the "PolyShell" unrestricted file upload vulnerability on a subset of servers in our environment. We have sent a ticket to all customers we've protected identifying the servers and paths involved.
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
Monitoring
Following our investigation, we are implementing a mitigation measure for Magento 2 installations on our Managed hosting platform for which we have access between 21:00 EDT and 23:00 EDT tonight.
We have sent a ticket to all customers with servers where mitigations will be applied. For these customers, we will be deploying an .htaccess file to block direct web-request access to the uploads directory. This change is expected to have minimal impact. If your site has been customised to serve or process requests through the upload directory, this functionality will be affected. Please contact us with any questions.
Customers with Magento2 websites who did not receive a ticket should review the Sansec article below announcing this vulnerability and apply the recommended changes:
https://sansec.io/research/magento-polyshell
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
We appreciate your patience and understanding.
We have sent a ticket to all customers with servers where mitigations will be applied. For these customers, we will be deploying an .htaccess file to block direct web-request access to the uploads directory. This change is expected to have minimal impact. If your site has been customised to serve or process requests through the upload directory, this functionality will be affected. Please contact us with any questions.
Customers with Magento2 websites who did not receive a ticket should review the Sansec article below announcing this vulnerability and apply the recommended changes:
https://sansec.io/research/magento-polyshell
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
We appreciate your patience and understanding.
Investigating
We are aware of recent reports regarding a potential unrestricted file upload vulnerability, commonly referred to as “PolyShell”, affecting Magento and Adobe Commerce.
At this time, our teams are actively reviewing server environments to assess any potential impact and determine whether any systems/customer sites may be affected.
We will provide further updates as more information becomes available.
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
At this time, our teams are actively reviewing server environments to assess any potential impact and determine whether any systems/customer sites may be affected.
We will provide further updates as more information becomes available.
If you have any questions or concerns. You can reach us through the following channels:
Live Chat: https://my.liquidweb.com/
Email: support@liquidweb.com
This incident affected: CPanel, InterWorx, and Plesk.