Powered by

P012C

PolyShell Mitigation

Description

A known vulnerability in Magento allows attackers to upload malicious files through the custom options file upload feature. These files are stored in the /media/custom_options/ directory and can potentially be executed directly via the web server, leading to remote code execution. This patch blocks public access to that path at the NGINX level.

Impact

There is no downtime expected from this change. NGINX will be reloaded on all web nodes after the configuration is applied.

Changes

  • Drops an NGINX configuration file (00-polyshell-mitigation.conf) into each Magento site's conf.d directory that denies all access to /media/custom_options/.
  • Copies the same configuration into the vhost template directory so that any new sites provisioned in the future will also include the mitigation.
  • Tests the NGINX configuration and reloads NGINX on all web nodes.

If You Accept

All public access to /media/custom_options/ will be blocked at the NGINX level, protecting your store from this attack vector. New sites created after the patch will also include the mitigation automatically.

If You Reject

The /media/custom_options/ path will remain publicly accessible, leaving your store vulnerable to potential remote code execution via malicious file uploads.

© Copyright 2026. All rights reserved.