magento worst practice (meet magento poland 2016)

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz

Magento Worst Practice



Magento Worst Practice


Magento since 2008

Developer, Consultant,

Trainer

Co-Founder integer_net

Aachen, Germany


Problems


Small Problems • Bad code quality

• Low performance

• Conflicting modules

• Hard to update

Small Problems


Small Problems

• Outdated Magento version

• Not patched

• Conflicting modules

• Low performance

• Hard to update


Real™ Problems:

Security


17/11/2015


Customer data and passwords

stolen

lib/Varien/Object.php:


Usernames and passwords stolen


Site hacked / encrypted


Top 10

Worst Magento

Practices


Top 10 Worst Magento Practices

#10 Downloadable Code


Protect your .git folder

(if you have any)


Don‘t put your code on GitHub

unprotected!



#9 Downloadable Data


email address, name,

company, password

(hashed), order items

(1264 lines)

Full (outdated)

database dump


But if you don’t know the filename,

these issues cannot be exploited!

http://www.seochat.com/c/a/

google-optimization-help/hiding-

your-sensitive-data-from-google-

and-the-world/

http://securityxploded.com/

bruteforcing-filenames-on-

webservers-using-dirbuster.php

?


Don‘t put your database dumps

on GitHub!


Please!



#8 Unprotected

Executables


Import script;

triggers reindexing

Imports database from file


• Don’t call your scripts from the browser –

use the shell instead

• Put your executables into “shell” instead of

the main directory

• Remove unneeded scripts



#7 Unprotected

Database Credentials


Don‘t remove the protection of

app/etc/local.xml!


Don‘t put your

local.xml on GitHub!



#6 Unsecured Admin


• Don’t use the default admin username /

password

• Don’t use common usernames and

passwords

• Change the admin URL

• Remove the Magento Connect Manager

(“downloader”)



#5 Unsecured Tools


Don‘t leave your management

tools unprotected!

Update your tools!



#4 Patches not applied


Example: Shoplift Bug

(patched February 2015)


50,581

Source: byte.nl, April 2016

Magento shops vulnerable to Shoplift:

(out of 255,558)



#3 Insecure Modules



#2 Database Tools


If you have a DB management tool freely accessible,

at least pre-fill access data!

</irony>



#1


No comment.



#1 Backdoors


That‘s it?

Yes.

For now.

Looking for more examples


Real™ Problems: • Stolen user data

• Stolen payment data

• Server misused by hackers

• Server unavailable

• Server hold to ransom


Security Basics • “Security by Obscurity” doesn’t work

• Keep your stuff up to date

• Stay informed

• For all freely accessible files, double check

if they can be misused

• Don’t trust easily

• Do code reviews!

• Recommendation: www.magereport.com


Thank you!

PHOTO

Please contact me!

@integer_net www.integer-net.com

@avstudnitz [email protected]

magento worst practice (meet magento poland 2016)

Internet