In short, yes. CE 1.7 is still vulnerable to those specific attacks because no security release has been issued which contains a patch.
In the case of the latter one, a session fixation attack, the change is an upgrade in the security practices which Magento already used to stay in line with current security best-practices. Not something likely to be issued to CE 1.7 if they do issue a patch with the CSRF fixes.
The real question is what exactly were these CSRF vulnerabilities which were fixed? Doubtless a good thing that they did not include specifics in the release notes, thus further jeopardizing all prior releases, but it would be nice to know for the sake of patching old implementations.
UPDATE #1:
Upon reaching out to Magento to find out when they will be issuing patches for the above vulnerabilities, I received the following reply:
Allow me some time to research this further. I'm not sure if there are patches available for those two items, as they are listed in our system as product enhancements and not as bugs. I'll update you when I get more information.
I'll post back further details here as I get them, and will be doing my best to get patches issued since it seems that there are not currently any patches in existence.
UPDATE #2: After back and forth with the support team, I was able to obtain a proper patch for Magento EE 1.12.0.2. No patch was issued for Magento CE 1.7.0.2, and as far as the technician who looked into it internally for me knows, there are no plans to release an official patch for CE 1.7.x instead resolving the issues only in the upcoming CE 1.8 stable release.
As for the EE specific patch file, I cannot post it (or the patch application tool) here directly since it would most undoubtedly be in violation of NDA between Magento and myself personally and the company for which I work. The name of the relevant patch is: "PATCH_SUPEE-1513_EE_1.12.0.2_v1.sh" — If you have the Enterprise Edition or a client using it, you should be able to request this patch from the Magento support team along with a note about the CSRF vulnerabilities which it is supposed to fix.
For CE 1.7.0.2 users, I've taken the freedom to generate a patch file (based on the patch provided by Magento) which includes only the hunks of code which alter Magento CE 1.7.0.2 core code files. In normal fashion, it includes irrelevant bits of added comments and adjusted formatting along with the relevant code changes. Creating this required manually altering the original patch to apply it using the provided patch applying tool, then using git to generate a patch based on the applied changes.
The patch file which I've created can be downloaded from this gist: https://gist.github.com/davidalger/5938568
To apply the patch, first cd into the root of your Magento installation and run the following command: patch -p1 -i ./Magento_CE_1.7.0.2_v1-CSRF_Patch.diff
The EE specific patch included form key validation checks to Enterprise specific controllers, alterations to enterprise/default and enterprise/iphone template files to include form keys in the forms being used for the patched controller actions, and additional Full Page Cache funtionality to properly account for passing form keys back and forth on cached pages.
DISCLAIMER: I have NOT TESTED either the EE patch provided by Magento nor the patch I've uploaded to the linked gist. The patch provided in the referenced gist is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee that it functions in whole or part. I.e. use at your own risk, and take due diligence to test before deploying to a production environment. If you find issues with the patch, let me know and I'll update it.
According to Magento:
Strong Data Encryption, Hashing and Key Management Strong data
encryption based on AES-256 and strong hashing based on SHA-256.
Database keys are easily managed and updated.
From my understanding and some quick glances at code:
Community is mainly Mcrypt and Blowfish (ECB Mode) based, as Don pointed out in the comments.
Enterprise uses a custom class for PCI compliance which uses both Mcrypt and Blowfish as with different cyphers and stronger encryption.
MCRYPT_RIJNDAEL_128
,MCRYPT_RIJNDAEL_256
,HASH_VERSION_SHA256
,etc.
Both using a combination of MD5, salting and hashes.
You can override the encryption models if you wished to use your own:
/**
* @return Mage_Core_Model_Encryption
*/
public function getEncryptor()
{
if ($this->_encryptor === null) {
$encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
if ($encryptionModel) {
$this->_encryptor = new $encryptionModel;
} else {
$this->_encryptor = Mage::getModel('core/encryption');
}
$this->_encryptor->setHelper($this);
}
return $this->_encryptor;
}
With that said, storing Credit Card data makes you a target and future legal issues possibly.
However I have seen scrapping hacks that are capturing data input before it is encrypted and logging it. So simply not storing them makes you immune either. This is proof that other exploits outside of Magento in its stack should always be considered.
As far as encryption strength, that would be a better question for:
Other related documents to read:
Best Answer
If you just cleaned up the code without upgrading to the lastest Magento version or applying the latest patches there is a good chance the same vulnerability to inject the malware was used again.
Update to the latest version CE 1.9.3.1 or apply all (missing) security patches.
You can check your site with http://magereport.com to find out what's missing.
Furthermore, you might be interested in the answers here: Website infected by virus and Magento hacked even after applied patch