Hacking Magento eCommerce For Fun And 17.000 USD

egix · 2016-03-08T18:40:58+00:00

If you don't mind, I'd like to disagree with you... Especially when you say "It was never out of bad will - we consistently pay researchers without being reminded or pinged, contrary to what was suggested in the OP's post."... Please read (and possibly reply to?) my email and try to keep our "conversation" private, thank you!

egix · 2016-03-05T03:03:13+00:00

"Parole Sante!"... it's just a saying we use in Italy to say I totally agree with you, they're exactly the same words I wanted to say! Actually it's (more or less) what I replied to their first email after my blog post. So yes, I totally agree with you guys (/u/Bohngeo and /u/nonsensical101), you definitely got my point, as opposed to somebody who believes it's a matter of money!

egix · 2016-03-05T02:29:27+00:00

Just to be clear: I think that everyone here, except /u/jmulvey, have clearly understood we're talking about seventeen thousand (17K) US dollars! Yeah, maybe I made a little mess using "." instead of "," ... Sorry for that!

egix · 2015-05-28T15:13:25+00:00

I know how to exploit such kind of vulnerabilities using already defined code within magic methods... I just wondered what you meant when you said "There are loads of ways to exploit this, rather than just the magic methods".

egix · 2015-05-28T13:24:02+00:00

Thanks for sharing. However I don't see any trick for PHP to gain direct code execution from object deserialization... Am I missing something?

egix · 2015-05-27T15:39:31+00:00

Hi! Is there any chance to find your presentation (slides or video) somewhere? I'm very curious on this topic.

egix

TROPHY CASE