In this release we will expand on the configuration changes we’ve made in yesterday’s release which addressed a number of the PHP Object Injection vulnerabilities in third party Magento 1 extensions. Today’s change contains extra filters for probes we’ve seen with an URI encoded version of the payload and for probes where the payload is in the POST body. Keep in mind that what we filter on the server side is not completely generic and mostly serves to block the low hanging fruit. It is likely that it is possible to craft alternative payloads that can bypass our WAF. For that reason it is still important to patch, disable or update any vulnerable modules in your shop.
Release 5852: Additional PHP Object Injection WAF rules
Scan your Magento shop for known security vulnerabilities: