Security

Web related security articles and information
  • Issues with EE 1.14.3 / CE 1.9.3 and Malware Cleanup Recommendations

    This email provides updates on remediating sites impacted by the recent malware attacks and issues with newly-released Enterprise Edition 1.14.3 and Community Edition 1.9.3 software.

    Malware Remediation
    New malware strains impacting Magento sites have recently emerged. On Monday, we shared recommendations for identifying impacted sites and protecting your clients from future attacks. Today, we are posting another article on how to remediate a site that has been compromised by malware. You can find the article in the Security Center at https://magento.com/security/best-practices/remediating-your-site-after-malware-attack. Please review it with your team and share it with your clients.

    Issues with Enterprise Edition 1.14.3 and Community Edition 1.9.3
    Several issues with our most recent Magento 1.x release have been reported. Some affect functionality critical to store operations and we are working on a new release (Enterprise Edition 1.14.3.1/Community Edition 1.9.3.1) that is tentatively scheduled for the end of next week. Magento is aware of the following issues:

    • Search results return all store products
    • Some integrations using Magento APIs no longer work
    • Bundled product prices do not update
    • Store-specific attribute labels disappear
    • Auto generated passwords do not work for some customers
    • Exceptions appear for stores with disabled breadcrumbs
    • Free shipping sales rules are not calculated correctly
    • PHP warnings occur with the session timestamp variable

    We recommend that merchants wait to upgrade to Community Edition 1.9.3 and Enterprise Edition 1.14.3, and instead apply the latest security patch, SUPEE-8788, which does not have these issues.

    If merchants have already upgraded, are experiencing issues, and cannot wait for the new release, the Magento community has created a module that resolves the issues outlined above. It can be found at https://github.com/digitalpianism/bugfixes. Magento has not tested this module. If you and your clients decide to use it, we recommend you remove the community module and upgrade to Enterprise Edition 1.14.3.1 or Community Edition 1.9.3.1 as soon as they are available.


    Thank you,
    Wagento Team

  • New SUPEE-8788 v3 Patch Available for Enterprise Edition 1.13.0.x

    Security Announcement


    An updated SUPEE-8788 v3 patch for Enterprise Edition 1.13.0.x is now available in the “Security Patches – October 2016” folder in MyAccount. It addresses missing files that prevent many Enterprise Edition 1.13.0.x merchants from successfully deploying the SUPEE-8788 patch .

    If your merchant was unable to apply the SUPEE-8788 patch, they should deploy the version 3 patch. If they already successfully applied the version 2 patch, there is no need to do anything.

    To install the new patch:

    • Revert SUPEE-1533 if it has already been installed.
    • Deploy SUPEE-3941 if it hasn’t already been installed.
    • Install the new SUPEE-8788 v3 patch. This patch includes SUPEE-1533, so there is no need to worry about re-installing it.

    • You can find SUPEE-1533 in the “Security Patches – October 2014” folder and SUPEE-3941 in the “Security Patches – August 2014” folder in MyAccount. More detailed installation instructions are available in DevDocs.

    Thank you,
    Team Wagento

  • Steps You Can Take to Boost Security

    Malware attacks targeting ecommerce sites are on the rise and it has never been more critical for merchants to follow security best practices. In most malware cases we’ve analyzed, attackers are not developing new ways to penetrate Magento sites. Instead, they are taking advantage of existing, unpatched vulnerabilities, poor passwords, and weak ownership and permission settings in the file system.

    To ensure the highest level of security, here are actions you and your clients should take:


    • Set up strong passwords and change them at least every 90 days, as recommended by the PCI Data Security Standard in section 8.2.4. You can check password lifetime setting in the following locations:
    • Magento 2.x: Stores > Configuration > Advanced > Admin > Security > Password Lifetime set to 90 days (default setting)
    • Magento 1.x: System > Configuration > Advanced > Admin > Security > Password Lifetime set to 90 days (default setting)
    • Keep systems up-to-date and install all security patches and updates immediately.
    • Stay informed of new patches by subscribing to Magento security alerts at https://magento.com/security/sign-up.
    • Scan stores monthly on MageReport.com to detect malware and to identify any security patches that may not have been deployed. MageReport.com is a highly-regarded service that is available at no charge.
    • Each month, review all Admin user accounts and remove any that are not recognized, or are no longer valid or active.
    • Verify that the system file permissions are set according to Magento 1 and Magento 2 file permission guidance. Misconfigured permissions may allow attackers to modify Magento code files and inject vulnerabilities into your client’s environment.
    • Check systems for unauthorized programs. For example, check for processes that perform key logging functions and unnecessary processes that are not required for Magento system operation.
    • Make sure your clients put other Magento Security Best Practices in place.

    If you discover that a client’s site has been attacked, immediately clean the site of all malicious code, install any missing patches, and update all Admin passwords. If you think that you have found a specific vulnerability in Magento and can provide more technical details, please report it to security@magento.com.

    Thank you!

  • SECURITY ANNOUNCEMENT UPDATE

    Earlier this week you may have been contacted by your Account Manager, Product Owner or Business Owner about the latest Magento security patch that was released on Tuesday 10/11/2016. Magento security patch SUPEE - 8788 was found to have some issues with earlier versions of Magento EE 1.13 and earlier. Here is the press release for that issue:

    We’d like to make you aware of an issue with our recent security release. The SUPEE-8788 patch for Enterprise Edition 1.13 and earlier versions fails if a store has previously applied SUPEE-1533 or SUPEE-3941 security patches. We are working to correct this issue and will provide new patches in one to three days in the “Security Patches – October 2016” folder in MyAccount. Until then, we are removing these versions of the SUPEE-8788 patch from distribution.

    PATCH UPDATE - PLEASE READ


    Updated versions of the SUPEE-8788 patch for Enterprise Edition and Community Edition are now available. The Enterprise Edition patch is in the “Security Patches – October 2016” folder in MyAccount. The Community Edition patch is available in the Release Archive of the Community Edition Download Page.

    The new patch addresses two issues:

    • Removes compatibility issues with SUPEE-1533 and SUPEE-3941 security patches experienced by merchants using Enterprise Edition 1.13 and earlier and Community Edition 1.8 and earlier releases.
    • Resolves issues with some 3rd party payment methods during checkout.
    Installation process:

    • Revert SUPEE-8788 if you have already installed it.
    • Revert SUPEE-1533 if you have already installed it.
    • Deploy SUPEE-3941 if it hasn’t already been installed.
    • Install the new SUPEE-8788 v2 patch. This patch includes SUPEE-1533, so you don’t need to worry about re-installing it.

    You can find SUPEE-1533 in the “Security Patches – October 2014” folder and SUPEE-3941 in the “Security Patches – August 2014” folder in MyAccount and in the Release Archive of the Community Edition Download Page.

  • Upcoming Magento 1.x and 2.x Releases Provide Critical Security and Functional Updates

    Get Ready to Assist Clients


    To help you better serve your clients, we are providing a preview of important Magento releases scheduled for Tuesday, October 11, 2016. This information should be kept confidential and should not be shared or discussed publicly until the release date.

    ENTERPRISE EDITION 1.14.3, COMMUNITY EDITION 1.9.3, AND SUPEE-8788
    Enterprise Edition 1.14.3 and Community Edition 1.9.3 deliver over 120 quality improvements, as well as support for PHP 5.6. They also resolve critical security issues, including:

    • Remote code execution vulnerabilities with certain payment methods
    • Possibility of SQL injections due to Zend Framework library vulnerabilities
    • Cross site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
    • Improper session invalidation when an Admin user logs out
    • The ability for unauthorized users to back up Magento files or databases

    The SUPEE-8788 patch addresses these security issues in earlier Magento versions. Functional update details and installation instructions will be available Tuesday in the Enterprise Edition and Community Edition release notes; a full list of security updates will also be published Tuesday in the Magento Security Center.

    ENTERPRISE EDITION AND COMMUNITY EDITION 2.0.10 AND 2.1.2
    Updates to Magento 2 software address the same critical security issues described above. Additionally, the releases make several functional improvements and API enhancements. New API methods allow 3rd party solutions, such as shipping or ERP applications, to use APIs to transition an order state when they create an invoice or shipment. Magento 2.1.2 now also includes PHP 7.0.4 support and Magento 2.0.10 and 2.1.2 are compatible with MySQL 5.7. A summary of improvements will be available in the release notes on Tuesday; all security updates will also be listed Tuesday in the Security Center.

    We strongly encourage you to work with your clients to implement these releases immediately, as attackers may target merchants who are slow to patch these issues. Updates should be installed and tested in a development environment before being put into production. Also, please use this occasion to do a security assessment of your clients’ systems in accordance with our Security Best Practices.

    Thank you for your continued cooperation and support.

  • Security Announcement - New SQL Injection Vulnerability

    Third-Party Themes and Extensions Are at Risk

    We recently learned that an SQL injection vulnerability has been found in several third-party themes and extensions. Extensions with the vulnerability include:

    • EM (Extreme Magento) Ajaxcart
    • EM (Extreme Magento) Quickshop
    • MD Quickview
    • SmartWave QuickView

    These extensions are used in several different themes, including Porto, Trego, and Kallyas from SmartWave. Other SmartWave themes may also be at risk. Vulnerable EM modules are used in some EM themes. The core Magento application is not impacted in any way by this vulnerability.

    We’ve received reports that the SQL injection vulnerability is potentially being exploited. If you currently use these extensions or themes, you should immediately contact the company from which you purchased the extensions or themes to request updated code. We understand that Themeforest, part of Envato Market, has already removed the vulnerability from the Porto theme, but the status of other themes and extensions is unknown.

    It is also important for you to evaluate all your Magento administrator accounts to make sure there are no unknown users and to reset all your administrator passwords. Please review the Magento Security Best Practices for more information on how to secure your site and use magereport.com to scan your site for missing patches or known issues.

    This update is part of our ongoing commitment to advise our merchants on security issues as we become aware of them. We thank you for your attention to this matter.

    Thank you.

  • Magento Product and Security Updates

    Today Magento will distribute new releases and patches to improve the security and functionality of Magento sites. While there are no confirmed attacks related to the security issues, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. The security issues vary across products and all versions of Magento are affected. Full articles detailing Magento 1.x and Magento 2.x issues will be added to the Magento Security Center when the code is released. Additionally, the Magento 2.0.1 releases will include several important functional updates. More information on these updates will be posted in Community and Enterprise Edition release notes Wednesday. We strongly encourage you to help clients implement one of the following patches or upgrades:

    • Enterprise Edition 1.9.0.0-1.14.2.2: SUPEE-7405 or upgrade to Enterprise Edition 1.14.2.3
    • Community Edition 1.5.0.0-1.9.2.2: SUPEE-7405 or upgrade to Community Edition 1.9.2.3
    • Enterprise Edition 2.0.0: Upgrade to Enterprise Edition 2.0.1
    • Community Edition 2.0.0: Upgrade to Community Edition 2.0.1

    DOWNLOADING THE UPDATES

      To download a patch or release, choose from the following options:

    Partners:

    • Enterprise Edition 1.14.2.3 Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Version 1.14.2.3
    • SUPEE-7405 Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support and Security Patches > Security Patches – January 2016
    • Enterprise Edition 2.0.1 (New Installations) Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.1
    • Enterprise Edition 2.0.1 (Upgrade an Existing Installation) http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

    Enterprise Edition Merchants:

    • Enterprise Edition 1.14.2.3 My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Version 1.14.2.3
    • SUPEE-7405 My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support Patches / Security Patches > Security Patches – January 2016
    • Enterprise Edition 2.0.1 (New Installations) My Account > Downloads Tab > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.1
    • Enterprise Edition 2.0.1 (Upgrade an Existing Installation) http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

    MAGENTO 2.0 RESOURCES

    We’d also like to draw your attention to new Magento 2.0 resources that can help you when developing or migrating sites to the new platform.

    • Magento Code Migration Toolkit provides scripts that ease the process of migrating custom Magento 1.x code, layouts and configurations to Magento 2.0 by automating some of the most time-consuming conversion tasks. The toolkit can be customized to fit the needs of a specific project and produces code that follows Magento 2.0 best practices. The Toolkit is available at github.com/magento/code-migration.
    • Code samples demonstrate technologies introduced in Magento 2.0, like interception and service contracts, to help you quickly learn and implement new coding patterns. Code samples are available at https://github.com/magento/magento2-samples.
    • Magento Mobile Application sample can speed up development by showing how to create Apple iOS 8+ apps using Magento 2.0 APIs. The sample app is available to Enterprise Edition customers in My Account >Downloads > Magento Enterprise Edition 2.X > Magento Mobile > Mobile Sample Application for Magento 2.x.

    Update: Security Patches have been released

    The Magento security releases and patches are now available.

    • Addressed recent USPS changes in all new releases and in a new patch (SUPEE-7616) for Enterprise and Community Editions.
    • Added official support for PHP7.0.2 for Magento 2.0.1, enabling merchants to benefit from dramatic performance improvements, drastically reduced memory consumption, and brand-new PHP language features.

    The USPS patch (SUPEE-7616) is available in the following locations:

    Partners

    Partner Portal > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support Patches / Security Patches > USPS API – January 2016

    Enterprise Edition Users

    My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support Patches / Security Patches > USPS API – January 2016

    Community Edition Users

    Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches - 1.x Section

    As a reminder, more information about these releases is posted online:

  • Holiday eCommerce Prep Tips and Tricks

    Black Friday and Cyber Monday are impending, along with some major holidays soon after! We’ve compiled a list of tips and tricks for your eCommerce business.

    1 - Are you making good use of your site's space for promos?

    • Be sure to update your sites promotional space. Whether these consist of banners, sliders, etc. don’t let that space fall short for your holiday shoppers!
    • Take into consideration what has worked in the past and spice it up this time around.
    • Be sure to make calls to action, i.e. “Act Now”, and create a sense of urgency, i.e. “For A Limited Time!”
    • Effective use of keywords will help keep you at the top of searches, include these in your sites banners and promotional spaces for better results.

    2 - Are you making your promotional calendar for products and deals?

    • Make a schedule of what products and/or deals you want to feature on certain days of the week. That way you will never be short of promotions! Once you’ve created a calendar, schedule the promo dates and prices using Magento’s powerful marketing tools.
    • Once the content is built optimize it before introducing it to your traffic. Build special holiday landing pages that feature promotion products.
    • Segment your list for promotions to target more than one group of customers.

    3 - Do you use promo codes?

    • Be sure your promo codes are scheduled for the rights dates.
    • Make sure the codes correlate with the correct deals.
    • And be sure to test them thoroughly. Try to break your codes and find potential loopholes that some people may try to exploit.

    4 - Will you be doing email marketing?

    • Spruce up your lists!
    • If you know what campaigns your contacts respond to. Try to segment these contacts into groups and target them with different campaigns.
    • Be sure not to overwhelm your customers with too much campaigning, keep the content relevant and succinct.

    5 - Will you be doing affiliate marketing?

    • Using an affiliate program can improve traffic and sales on your website. It may be too late to gain much traction for the holiday. But if you currently have an affiliate program be sure to roll out those fresh deals for the holidays.

    6 - Will you be offering any special rewards program perks?

    • Reward programs are growing in popularity. They often drive traffic during the Holidays and help increase sales through incentives. There are great rewards programs, and we would recommend Sweettooth for your Magento store.

    7 - Do you have your creative collateral made (images etc) for carousel and banners, etc.?

    • Creative collateral is important during the holidays. As a company becomes busy during the holidays, internal resources are often busy. The more prepared you can be with your creative collateral, the less stressed your team will be during the busy holiday.

    8 - Have you taken the proper security measures?

    • Avoiding data breaches is imperative, especially during the Holidays. With increased traffic comes increased risk. Don’t let your customers be at risk. Take action, work with your hosting company and web developers to ensure your site is enforcing best practice.

    9 - Are you prepared for traffic spikes?

    • Be sure your site can handle the spikes in traffic. These include Black Friday, and Cyber Monday. There are quality hosting companies that can help you prepare for the holiday rush. These include, but are not limited to, Nexcess, iNetU, Tenzing, and Peer1. They offer great services and can help ensure your site is ready for the increased holiday traffic.
  • Why no one should use FTP for team development

    FTP has been the most common way for developers to access a website but is it the best?

    Wagento uses a process called "Continuous Integration" This allows for a group of develpers to colaborate on a single project. Wikipedia lists the following advantages

    • When unit tests fail or a bug emerges, developers might revert the codebase to a bug-free state, without wasting time debugging
    • Developers detect and fix integration problems continuously — avoiding last-minute chaos at release dates, (when everyone tries to check in their slightly incompatible versions).
    • Early warning of broken/incompatible code
    • Early warning of conflicting changes
    • Immediate unit testing of all changes
    • Constant availability of a "current" build for testing, demo, or release purposes
    • Immediate feedback to developers on the quality, functionality, or system-wide impact of code they are writing
    • Frequent code check-in pushes developers to create modular, less complex code
    • Metrics generated from automated testing and CI (such as metrics for code coverage, code complexity, and features complete) focus developers on developing functional, quality code, and help develop momentum in a team

    In more simplistic terms it works like this:

    1. Developer works on their local Machine and they push updates to the repository.
    2. The work is checked out on the dev site for review - The Q/A team then reviews and approves for client to review. If things look for from here it goes to Staging.
    3. The code is deployed to Staging using DeployHQ where the client approves the work. Staging is the closest thing to production so we can see items in near real time.
    4. Once everything is approved on Staging then the code get deployed to live and checked again. The deployment process offers the ability to roll back if needed.

    In some cases, before a site goes live we may only use one or two places for testing. But once a site is live and in production the before mentioned procedure is used. Once the site goes live we turn off FTP and do not let anyone modify code on the live site.

    You may ask why? Why do we do this process?

    Scenario #1 (Most common) Third party developer installs feature on live site without putting code into repository. Wagento deploys a different feature to live and third party code is overwritten.

    Scenario #2 Third party developer installs something on live site that breaks lives site, then goes to bed. Client calls Wagento to tell them live site doesn’t work No one has any idea what was done and code is not in repository so code can not be tracked.

    Why do we care about any of this? The repository creates a real time audit trail of everything that has happened to your website. If there is ever a problem it can quickly be identified by the last submitted code and that code can be reverted or corrected. Once someone works outside the system the code is no longer valid. The integrity of the website is now in question.

    Why do we care about the integrity of the code? We have clients who every day are fulfilling 1000-3000 transitions and 10,000’s of products. If we don’t know what the state of the code is and how to resolve problems then we can not serve the client to the best of our abilities. In addition to integrity it can waste everyone time trying to figure out what a third party has done.

    Why do we use GIT?

9 Item(s)