magento worst practice (meet magento poland 2016)
TRANSCRIPT
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz
Magento since 2008
Developer, Consultant,
Trainer
Co-Founder integer_net
Aachen, Germany
Andreas von Studnitz - @avstudnitz
Problems
Andreas von Studnitz - @avstudnitz
Small Problems • Bad code quality
• Low performance
• Conflicting modules
• Hard to update
Small Problems
Andreas von Studnitz - @avstudnitz
Small Problems
• Outdated Magento version
• Not patched
• Conflicting modules
• Low performance
• Hard to update
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Real™ Problems:
Security
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
17/11/2015
Andreas von Studnitz - @avstudnitz
Customer data and passwords
stolen
lib/Varien/Object.php:
Andreas von Studnitz - @avstudnitz
Usernames and passwords stolen
Andreas von Studnitz - @avstudnitz
Site hacked / encrypted
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Top 10
Worst Magento
Practices
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#10 Downloadable Code
Andreas von Studnitz - @avstudnitz
Protect your .git folder
(if you have any)
Andreas von Studnitz - @avstudnitz
Don‘t put your code on GitHub
unprotected!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#9 Downloadable Data
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
email address, name,
company, password
(hashed), order items
(1264 lines)
Full (outdated)
database dump
Andreas von Studnitz - @avstudnitz
But if you don’t know the filename,
these issues cannot be exploited!
http://www.seochat.com/c/a/
google-optimization-help/hiding-
your-sensitive-data-from-google-
and-the-world/
http://securityxploded.com/
bruteforcing-filenames-on-
webservers-using-dirbuster.php
?
Andreas von Studnitz - @avstudnitz
Don‘t put your database dumps
on GitHub!
Andreas von Studnitz - @avstudnitz
Please!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#8 Unprotected
Executables
Andreas von Studnitz - @avstudnitz
Import script;
triggers reindexing
Imports database from file
Andreas von Studnitz - @avstudnitz
• Don’t call your scripts from the browser –
use the shell instead
• Put your executables into “shell” instead of
the main directory
• Remove unneeded scripts
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#7 Unprotected
Database Credentials
Andreas von Studnitz - @avstudnitz
Don‘t remove the protection of
app/etc/local.xml!
Andreas von Studnitz - @avstudnitz
Don‘t put your
local.xml on GitHub!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#6 Unsecured Admin
Andreas von Studnitz - @avstudnitz
• Don’t use the default admin username /
password
• Don’t use common usernames and
passwords
• Change the admin URL
• Remove the Magento Connect Manager
(“downloader”)
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#5 Unsecured Tools
Andreas von Studnitz - @avstudnitz
Don‘t leave your management
tools unprotected!
Update your tools!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#4 Patches not applied
Andreas von Studnitz - @avstudnitz
Example: Shoplift Bug
(patched February 2015)
Andreas von Studnitz - @avstudnitz
50,581
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255,558)
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#3 Insecure Modules
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#2 Database Tools
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
If you have a DB management tool freely accessible,
at least pre-fill access data!
</irony>
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
No comment.
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1 Backdoors
Andreas von Studnitz - @avstudnitz
That‘s it?
Yes.
For now.
Looking for more examples
Andreas von Studnitz - @avstudnitz
Real™ Problems: • Stolen user data
• Stolen payment data
• Server misused by hackers
• Server unavailable
• Server hold to ransom
Andreas von Studnitz - @avstudnitz
Security Basics • “Security by Obscurity” doesn’t work
• Keep your stuff up to date
• Stay informed
• For all freely accessible files, double check
if they can be misused
• Don’t trust easily
• Do code reviews!
• Recommendation: www.magereport.com
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Thank you!
PHOTO
Please contact me!
@integer_net www.integer-net.com
@avstudnitz [email protected]