Category: Security

Magento is one of the most trusted eCommerce platforms has faced a few security-related problems. That’s the reason why Magneto releases its new version and security patches on a regular interval to guard against unexpected vulnerabilities.

To enhance product security, performance and functionality, Magento recently released security patches including other updates for the new versions of Magento Commerce and Open Source:

• Magento Commerce and Open Source 2.3.1
• Magento Commerce and Open Source 2.2.8
• Magento Commerce and Open Source 2.1.17
• Magento Commerce 1.14.4.1
• Magento Open Source 1.9.4.1
• SUPEE-11086 to patch earlier Magento 1.x versions

There were various high CVSSv3 severity issues that affect the product Magento Open Source prior to 1.9.4.1 and Magneto Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1.

Below is the latest security update that is addressed to some high severity Magento vulnerabilities:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity	Security Bug	Description
9.8	Remote code execution though crafted newsletter and email templates	An administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.
9.1	Remote code execution via email template	An authenticated user has right to execute arbitrary code via email template.
8.5	An Unsafe deserialization of a PHP archive can lead to Arbitrary execution	An authenticated user can execute arbitrary code via Phar deserialization vulnerability.
8.5	The unsafe handling of an API call to a core bundled extension leads to Arbitrary code execution (Magento Shipping)	An authenticated user can configure store settings to execute arbitrary code execution through server-side request forgery.
8.5	To execute arbitrary code through PHP archive deserialization vulnerability, An authenticated user can configure email templates.	The upload settings for B2B quote files are open to remote code execution attacks.

 

Issue Type: SQL Injection and cross-site scripting

 

7.7	Cross-site scripting and SQL injection vulnerability in catalog section (XSS)	An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code.
7.2	SQL injection vulnerability can come through an authenticated user	An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
6.5	SQL injection happens because of inadequate validation of user input.	To execute arbitrary SQL queries, An authenticated user can configure email templates.

 

Issue Type: Cross Site Scripting

 

6.5	Admin Customer Segments area has cross-site scripting.	An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code.
6.3	Reflected cross-site scripting vulnerability in the Admin via the requisition list ID	To embed malicious code, an authenticated user can use a cross-site scripting vulnerability
5.8	Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page	An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.8	Cross-site request forgery can delete product attribute.	An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery.
5.8	Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page	An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.7	Cross-site request forgery vulnerability can lead to deletion of synonym groups.	An attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery.

 

Source: Magento

To ensure the best security and performance, Magento has highly recommended deploying these new releases right away. You should implement and test the patch in a development phase to get the expected result or consult a professional.

Always ask your Magento certified professional to carry out a security audit on a timely basis (say quarterly) as this will improve your store security especially if you have installed new extensions and made few changes to the site.

Fill the form below if you want to implement security patches or want to upgrade your Magento website.

For any Magento developer, platform and server security come first in his job. Nearly 50 per cent of the time is spent on it one way or another. In this article, we have mentioned some of the effective security steps which will save your server from hackers.

Let’s go through the below list one by one and discuss them briefly.

Before starting these steps make sure that your platform and server is up to date.

These steps are mainly focused around the Magento 2 platform that are running on centos with WHM/Cpanel installed.

1. Install Armor Anywhere

It’s a team of 50+ ethical hackers. They keep a check on the darkweb forums for exploits people which are found and then scan your system to see if it’s vulnerable and inform you accordingly and later they patch it.

2. Follow below link cPanelhttps://documentation.cpanel.net/display/EA/Apache+Module%3A+SuPHP

3. Install SuPHP

Enable cpanel server log into easyapache or you can put in a ticket with hosting provider.

4. In WHM enable 2-factor authentication

It needs a 6 digit code which is sent to your device authenticator app. It keeps your platform safe and locked.

5. Through the SSH port remove FTP to force SFTP connections

From home page go to WHM via login and then click on service manager and search for FTP un-check both boxes.

 

6. Disable password authentication

Now you need a key to install SSH ports on the server which you have to get out of WHM only after getting through 2 factors. First, they need your device as it is the only access point with the authenticator to get in. you can undo by restarting the server directly connected through a laptop at the data centre.

7. Change the SSH port to anything random

8. For cPanel install ClamAV

9. On panel enable 2 factor

In a password protected file save the passwords for the server.

10. Using ‘Host Access Control’ restricted WHM, Cpanel, SSH, cpdavd to your IP, and your hosting companies IPs.

11. Disable Symlink

https://documentation.cpanel.net/display/EA4/Symlink+Race+Condition+Protection

12. Disable non used php version php 5.5,5.6,7.0,7.1

13. Enabled Jail shell

14. In WHM search for security and open the security adviser and follow below suggestions

• Setup Mod_Security

• Set production files as read-only

15. For the root disable SSH login

USER https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user

16. Use SSH Agent Forwarding to SSH from servers to servers instead of copying your SSH private keys on servers. On GNU/Linux use ssh-agent or GnomeKeyring with ForwardAgent yes under a trusted Host entry in your .ssh/config file6

On Windows PuTTY’s Pageant supports SSH

Agent Forwarding

17. For admin install two-factor authentication

The number of platforms is compromised due to SQL injection which creates an admin user. If they get an admin account then they use the marketplace to download a file editing program that allows them to upload files mainly known as virus’s malware, etc and in Magento 2 you can run the below command by login into SSH

composer require msp/twofactorauth:3.0.0

18. Always copy files and database independently. Do not use cpanel to cpanel account to transfer your account.

19. Avoid using the same passwords on the new account and also change database and account passwords.

20. enable a jailed shell environment for all new and modified users, use the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).

21. Always include the suEXEC module during the compilation of Apache as it makes that CGI applications and scripts run as the user that owns as well as executes them.

22. In WHM go to security adviser to make sure you pass all the checks.

One of the most essential parts of any Magento store is its Admin panel. Admin panel allows you to see customers and their orders. You can put in products and change their pricing. So basically you can follow, change and perform a day-to-day business activity.

A hacker can gain valuable information for spam campaigns or can change the payment page to get credit card details for fraudulent purposes. In such cases, a breach of the admin part can be a little difficult and expensive. It might also result in large fines that can even force a website to cease trading.

For this purpose, there is password protection and other option available to have the admin panel on a non-standard website URL. But do you think this is enough?

In some cases, search engines know your admin URL allowing it to be found with a very simple web search. There are a few reasons this can happen but ultimately they boil down to the admin URL becoming visible in the frontend and a search engine following the link. Unfortunately, the admin area doesn’t have a “NOINDEX, NOFOLLOW” meta tag so the page is indexed for search.

“A search engine knows your Magento Admin URL”

We strongly recommend restricting admin access to limited IP addresses. You can do that, by three sources that you can use to compromise the security of your website.

Hackers can enter through Magento Connect downloader so you need to change the connect manager URL in order protect your site. Hacker might get confused if you specify a completely different path. You can restrict the access to/downloader/ location by IP address through the .htaccess file.

If you don’t want users to access the RSS feed then you can limit this feature because it has been seen in recent times that hackers make a force attacks through RSS feeds. You can create IP whitelisting that will redirect the request from classified visitors to the main page.

You need to have tight security for your Magento admin panel. You can even block IP addresses from all other countries and this restriction truly works if you know your consumers are fellow citizens.

If you value your customer’s privacy, which you should, you should take every measure possible to protect access to this data. Obscuring the admin URL isn’t enough. Two Factor authentication modules are available which require your password and something else to log in (perhaps a Google authenticator key), you can secure the admin so it can only be accessed from specific locations (IP addresses). We also recommend that in Magento Commerce/Enterprise you review the admin logs periodically to ensure no suspicious login activity is happening.

Have you ever been hacked? If your business has an online presence, its time you take preventive measures against information theft or hacks! Well, in the era where technology is advancing, information and online transactions are evolving at a rapid speed, criminal use of the internet is an unavoidable part. But with accurate cyber-security control tools for modern web applications, you can always keep your online store safe and secure.

WAF is probably one of the best preventive security controls for all the Magento stores out there. By controlling any type of input/ output, access from, to, or by any application or service, it safeguards your data from any sort of theft or loss. It simply operates by monitoring as well as blocking suspicious requests before they get to your online business.

E-commerce applications, as well as Magento stores, are the treasure house of information for hackers. They have undesirable and unauthorized access to personal data including credit card numbers, physical addresses, or phone numbers and much more. In today’s digital era almost all industry including the private sector, banks, and healthcare have more sensitive information which makes online stores more vulnerable to hacking.

Unique ways of stealing information have led to the development of security measures commonly known as a Web Application Firewall (WAF). Website security is very popular right now and it’s time online store owners embrace this security tool to keep their website safe and secure.

So, what is WAF and how does it help?

WAF is a software application or a hardware device which takes care of traffic flowing across the networks. It examines the data it receives and accordingly makes decisions about whether to let it continue its journey or not.

Networks can be divided into layers where each supports the layer above it. One such model is the OSI model which split the network into different layers such as presentation, session, transport, network, data link, physical, and application layers.

Next is IPtables, a firewall which works at the network layer and is found mainly on Linus web hosting servers. This tool helps block inbound and outbound data for all the ports and IP addresses according to the rules supplied by the user. But remember it does not match for attacks against the application layer and also against Magento itself.

There are different types of attacks like cross-site scripting, injection attacks, and hacks to exploit vulnerabilities in the application, HTTP hacks, an application layer protocol hacks, etc. For IP Tables firewall all these attacks are genuine requests to the application.

Web Application Firewalls

Web Application Firewalls is the 7th layer also known as the application layer. Its main task is to monitor HTTP requests for different patterns which might match with known attacks. If a hacker generates a request while hacking, WAF might create an SQL injection in prior to stop the theft.

WAF can be updated often in real time to block emerging threats against the application layer and it is the major benefit of WAFs. It will also check all the outgoing data for any kind of suspicious patterns like credit card details being sent to an attacker. Likewise, your Magento store can be protected by using WAF from vulnerabilities which cannot be patched.

Magento websites can be integrated with a number of web application firewalls as per the requirement. Using an open source tool ModSecurity, one can check application security, HTTP traffic logging, and web application hardening seamlessly. Sucuri – A cloud-based WAF integrator extension lets you protect the Magento store from multiple attacks.

Takeaway

The field of Web application firewalls goes through enormous advances on an everyday basis. And in this cut-throat competition, when every business works to live by the edge, if a robust tool secures your online store, you are in danger!

Designed to provide high-level of protection, modern firewalls filter both known and unknown threats while reducing false alerts by adding an extra layer of security to your website. So, what are you waiting for? The technology is here, and hackers are certainly going to attack, so take the preventive measures before-hand. Get one of the best security tools for your website today!

You need to secure your store from hackers. Magento is a worthwhile program and it’s a place where cyber-crime can take place. Stating the fact that it’s an eCommerce platform it’s clear how critical security for any Magento e-store would be.

Magento makes sure to release security patches to keep their client’s websites secure, still, the responsibility of doing everything possible to secure your Magento store lies with you. There are several customizations that you need to do in order to secure your e-store.

Use Latest Version of Magento:

Magento consistently gets updated at a good pace.It will give you version details of the current application and will also suggest if your Magento version is outdated. Magento keeps on updating its security patches when needed. It’s critical that you install all these security upgrades as soon as they are available as they are precisely offered to combat the latest securities threats. To give 100% securities to your e-store always update your Magento to the latest version.

Add Two-Factor Authentication:

To reduce attacks it is best that you use a two-factor authentication for your Magento site. There are extensions available which are helpful so now you don’t have worry about your password-related Magento Security risks anymore.

The first extension is Rublon which comes with a layer of stealth. It provides access to trusted devices. Another extension is Extendware which allows you to implement complex authentication mechanism by limiting log-in attempts.

Choose a Strong Password:

A Password is a key to your Magento store. A week passwords are likely to get leaked. Be particular when you set a new password, which has a mix of upper and lower case alphabets, numbers and special character like ?, >, etc. So do not use yourMagento password anywhere and also keep your Magento password different from the rest of the passwords. Once you have a strong password for your store does not change it often.

Prepare an Active Backup Plan:

Take a regular backup and store them in the cloud and also have an offline copy to make sure that your website is safe even when a security breach occurs. It is important to have an active backup plan such as hourly offsite backups and downloadable backups. In case, your website gets hacked or crashes a planned backup will continue all your services.

Manage your Magento Admin Panel:

It is easy for hackers to get on to your admin log-in page and start guessing passwords. Revealing the admin panel also broadens the attack surface and attackers get one more page to check for vulnerabilities. Hence opt for a custom path for the admin panel and for that add an SSL certificate to make sure that you restrict access to the admin panel to your IPs.

A safe and secure Magento store is one of the key factors which will help you to build and retain trust with your shoppers at your eStore. If you have any additional tips and feedback on the above-provided tips then do write them in the comment section below.

There are very few people who understand the importance of Magento security patch. There are few store owners who are not developers or don’t have an E-commerce digital agency have to perform regular updates or install security patches but still many are lacking in maintaining the security.

U might think, if everything is running smoothly, a store is currently taking orders, new customers are signing up, a system is speedy and you are making the profit and nothing is broken then why fix it? In that case, you have to rethink.

Magento security is the main concern and you have to keep in mind about the cost as well. The main purpose of the E-commerce store is to generate more and more sales and make money. Along with this you also have to protect your valuable customers’ privacy, increase your brand awareness and build a good market reputation.

When you are updating to a new version of Magento then your regular critical updates also change. A critical update is so important that you can’t wait to fix it until the next release of Magento and this happens because of few listed below things:

• Security flaws in checkout and credit card capture
• Security vulnerabilities that allow a malicious piece of code to be ran remotely
• Vulnerabilities allowing unauthorized people into the Magento admin
• Updates to third-party APIs that could make Magento core functions no longer work
• Vulnerabilities that put customers’ information at risk

If you have not installed a critical security update on your Magento store since a long time then you should do it in an immediate basis.

Security updates protects your customers’ private information and also increase your brand reputation. The repercussions of a malevolent person who is trying to gain access to your site for grabbing customer addresses, phone numbers, credit cards and other information might harm your reputation and decrease your sales in the short- and long-term.

How to find out that you Site Has Been Compromised?

If you face a situation where your site is not working properly or acting strange then you are having security issues in your Magento store.

We have shared some of the common signs to determine whether your site has been compromised or not

• Check your list of administrator users for unknown accounts. We have seen vpwq and defaultmanager being used, but any unknown account is suspicious
• Check your Magento installation for any unknown files that were recently created and are suspicious. Compare all files to your code repository or staging server.
• Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
• Run a tool to check for trojans (e.g. chkrootkit)
• Check for wrong permissions
• Check for hidden files
• Check for suspicious ports being opened (command: netstat -nap | grep LISTEN )
• Check for any port redirections on OS level (sample command: iptables -L -n)

If you’re experiencing any of these above-mentioned issues, then do get in touch with the Magento experts as your customers’ private information, Magento functionality, and store’s reputation could be on the line.

Magento security patch is a major concern so fix even a small issue as soon as possible. Do share your views and experiences in the comment section below