http://www.magentocommerce.com/knowledge-base/entry/security-add-handler
How does the exploit work?
The attacker would need to have a working Magento admin login; this means that this vulnerability can only be exploited by trusted users, who have been given a Magento backend login. By extension the assumption is that this is a user that does not have file access (SSH, FTP etc): if a user has FTP or SSH access they can simply upload arbitrary code directly, rather than using the Magento backend as identified in the vulnerability.To exploit this vulnerability, this user would upload a csv file, actually containing PHP code, using the Magento backend. Because some servers interpret files in the form of filename.php.csv as php files, this file could then be executed on the server.
Am I at risk?
Because of the way PHP runs on shared servers, this vulnerability should not be exploitable on any M.D.G. IT shared server - the server should not interpret a file with a .csv suffix as PHP code, even if the filename is [name].php.csv.Most M.D.G. IT VPS servers will interpret files named [filename].php.csv as PHP. We are progressively rolling out configuration changes which will modify this behaviour.
What should I do
Because this vulnerability requires a working Magento backend login, only users who have access to the Magento backend can exploit it. A logical precaution is to revoke Magento admin access from any untrusted user.We recommend that customers have their developers apply the patch specific to their version of Magento, available from the link above.
