- Окт 14, 2021
- 6,371
- 2,058
- $12,544
The term "Magento 2 upload hack" typically refers to a critical class of security vulnerabilities where attackers exploit file upload features to gain unauthorized access.
As of April 2026, the most urgent threat is a vulnerability called PolyShell, which allows unauthenticated attackers to upload executable files to almost any Magento or Adobe Commerce store.
Current Major Threat: PolyShell (APSB25-94)
Discovered by Sansec, this vulnerability is currently being exploited in the wild.
How it Works: Attackers use the REST API to upload a "polyglot" file—a file that looks like a valid image to the server but contains hidden PHP code.
The Vector: The attack targets the Cart Item Custom Options feature. When a product allows a "file" upload option, the API accepts base64-encoded data and saves it to pub/media/custom_options/ or customer_address folder.
so you best need to do follow here to protect your magento2 website
1. config open_basedir to pub folder not default
2.config limit php file to run and wait magento2.4.9
nginx
Apache
put media folder with
As of April 2026, the most urgent threat is a vulnerability called PolyShell, which allows unauthenticated attackers to upload executable files to almost any Magento or Adobe Commerce store.
Current Major Threat: PolyShell (APSB25-94)
Discovered by Sansec, this vulnerability is currently being exploited in the wild.
How it Works: Attackers use the REST API to upload a "polyglot" file—a file that looks like a valid image to the server but contains hidden PHP code.
The Vector: The attack targets the Cart Item Custom Options feature. When a product allows a "file" upload option, the API accepts base64-encoded data and saves it to pub/media/custom_options/ or customer_address folder.
so you best need to do follow here to protect your magento2 website
1. config open_basedir to pub folder not default
2.config limit php file to run and wait magento2.4.9
nginx
Код:
location /pub/media/ {
location ~ \.php$ {
deny all;
}
if ($request_filename ~* \.(php|phtml|php5)$ ) {
return 403;
}
}Apache
put media folder with
Код:
<FilesMatch "\.(php|php5|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Последнее изменение модератором: