Andreas von Studnitz - @avstudnitz

Andreas von Studnitz

Magento Worst Practice

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz

Magento Worst Practice

Andreas von Studnitz

Magento since 2008

Developer, Consultant,

Trainer

Co-Founder integer_net

Aachen, Germany

Andreas von Studnitz - @avstudnitz

Problems

Andreas von Studnitz - @avstudnitz

Small Problems • Bad code quality

• Low performance

• Conflicting modules

• Hard to update

Small Problems

Andreas von Studnitz - @avstudnitz

Small Problems

• Outdated Magento version

• Not patched

• Conflicting modules

• Low performance

• Hard to update

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

Real™ Problems:

Security

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

17/11/2015

Andreas von Studnitz - @avstudnitz

Customer data and passwords

stolen

lib/Varien/Object.php:

Andreas von Studnitz - @avstudnitz

Usernames and passwords stolen

Andreas von Studnitz - @avstudnitz

Site hacked / encrypted

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

Top 10

Worst Magento

Practices

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#10 Downloadable Code

Andreas von Studnitz - @avstudnitz

Protect your .git folder

(if you have any)

Andreas von Studnitz - @avstudnitz

Don‘t put your code on GitHub

unprotected!

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#9 Downloadable Data

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

email address, name,

company, password

(hashed), order items

(1264 lines)

Full (outdated)

database dump

Andreas von Studnitz - @avstudnitz

But if you don’t know the filename,

these issues cannot be exploited!

http://www.seochat.com/c/a/

google-optimization-help/hiding-

your-sensitive-data-from-google-

and-the-world/

http://securityxploded.com/

bruteforcing-filenames-on-

webservers-using-dirbuster.php

?

Andreas von Studnitz - @avstudnitz

Don‘t put your database dumps

on GitHub!

Andreas von Studnitz - @avstudnitz

Please!

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#8 Unprotected

Executables

Andreas von Studnitz - @avstudnitz

Import script;

triggers reindexing

Imports database from file

Andreas von Studnitz - @avstudnitz

• Don’t call your scripts from the browser –

use the shell instead

• Put your executables into “shell” instead of

the main directory

• Remove unneeded scripts

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#7 Unprotected

Database Credentials

Andreas von Studnitz - @avstudnitz

Don‘t remove the protection of

app/etc/local.xml!

Andreas von Studnitz - @avstudnitz

Don‘t put your

local.xml on GitHub!

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#6 Unsecured Admin

Andreas von Studnitz - @avstudnitz

• Don’t use the default admin username /

password

• Don’t use common usernames and

passwords

• Change the admin URL

• Remove the Magento Connect Manager

(“downloader”)

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#5 Unsecured Tools

Andreas von Studnitz - @avstudnitz

Don‘t leave your management

tools unprotected!

Update your tools!

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#4 Patches not applied

Andreas von Studnitz - @avstudnitz

Example: Shoplift Bug

(patched February 2015)

Andreas von Studnitz - @avstudnitz

50,581

Source: byte.nl, April 2016

Magento shops vulnerable to Shoplift:

(out of 255,558)

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#3 Insecure Modules

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#2 Database Tools

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

If you have a DB management tool freely accessible,

at least pre-fill access data!

</irony>

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#1

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

No comment.

Andreas von Studnitz - @avstudnitz

Top 10 Worst Magento Practices

#1 Backdoors

Andreas von Studnitz - @avstudnitz

That‘s it?

Yes.

For now.

Looking for more examples

Andreas von Studnitz - @avstudnitz

Real™ Problems: • Stolen user data

• Stolen payment data

• Server misused by hackers

• Server unavailable

• Server hold to ransom

Andreas von Studnitz - @avstudnitz

Security Basics • “Security by Obscurity” doesn’t work

• Keep your stuff up to date

• Stay informed

• For all freely accessible files, double check

if they can be misused

• Don’t trust easily

• Do code reviews!

• Recommendation: www.magereport.com

Andreas von Studnitz - @avstudnitz

Andreas von Studnitz - @avstudnitz

Thank you!

PHOTO

Please contact me!

@integer_net www.integer-net.com

@avstudnitz avs@integer-net.com