05.02.2016

Magento Worst Practice

1 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Andreas von Studnitz

2

Magento since 2008

Developer, Consultant, Trainer

Co-Founder integer_net

Aachen, Germany

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 3

Problems Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 4

Problems Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Small Problems

5

• Bad code quality

• Low performance

• Conflicting modules

• Hard to update

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Small Problems

6

• Bad code quality

• Low performance

• Conflicting modules

• Hard to update

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Small Problems

7

• Bad code quality

• Low performance

• Conflicting modules

• Hard to update

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Small Problems

Andreas von Studnitz - Magento Worst Practice 8

• Outdated Magento version

• Not patched

• Conflicting modules

• Low performance

• Hard to update

05.02.2016

Small Problems

Andreas von Studnitz - Magento Worst Practice 9

• Outdated Magento version

• Not patched

• Conflicting modules

• Low performance

• Hard to update

05.02.2016

Real™ Problems:

10

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 11 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Real™ Problems:

12

• Stolen user data (i.e. email addresses, passwords)

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Real™ Problems:

13

• Stolen user data (i.e. email addresses, passwords)

• Stolen payment data (credit card data, PayPal)

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Real™ Problems:

14

• Stolen user data (i.e. email addresses, passwords)

• Stolen payment data (credit card data, PayPal)

• Server misused by hackers (i.e. Spam, DoS, Viruses)

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Real™ Problems:

15

• Stolen user data (i.e. email addresses, passwords)

• Stolen payment data (credit card data, PayPal)

• Server misused by hackers (i.e. Spam, DoS, Viruses)

• Server unavailable

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Real™ Problems:

16

• Stolen user data (i.e. email addresses, passwords)

• Stolen payment data (credit card data, PayPal)

• Server misused by hackers (i.e. Spam, DoS, Viruses)

• Server unavailable

• Server hold to ransom

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 17

Security

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

Real™ Problems:

05.02.2016 18 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 Andreas von Studnitz - Magento Worst Practice 19

17/11/2015

05.02.2016 20

Customer Data and Passwords stolen

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

lib/Varien/Object.php:

05.02.2016 21

Customer and Credit Card Data stolen

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 22

Usernames and Passwords stolen

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 23

Site hacked / encrypted

05.02.2016 24

Site hacked / encrypted

05.02.2016

1. Gain access to Magento admin user account

2. Login to Magento Connect Manager

3. Install custom module from file

4. Catch credit card data from customers

5. Encrypt data and store to predefined image file

25

Real-Life Hack using Magento admin access only:

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

Andreas von Studnitz - Magento Worst Practice 26

What to do?

05.02.2016

The obvious:

27

• Keep your Magento updated

• At least apply security patches

• Keep PHP and other server software up to date

• Only use modules which have been reviewed

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

The obvious:

28

• Keep your Magento updated

• At least apply security patches

• Keep PHP and other server software up to date

• Only use modules which have been reviewed

05.02.2016

The obvious (2):

29

• Don’t use the default admin username / password

• Don’t use common usernames and passwords

• Change the admin URL

• Remove the Magento Connect Manager (“downloader”)

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 30

What NOT to do?

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 31 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 32 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 33 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

email address, name, company, password (hashed), order items (1264 lines)

05.02.2016 34

Full (outdated) database dump

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 35 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

Import script Triggers reindexing

05.02.2016 36

Imports database from file Password protected!

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

But if you don’t know the filename, these issues cannot be exploited! But if you don’t know the filename, these issues cannot be exploited!

37

05.02.2016

But if you don’t know the filename, these issues cannot be exploited!?

38

But if you don’t know the filename, these issues cannot be exploited!

http://www.seochat.com/c/a/google-optimization-help/ hiding-your-sensitive-data-from-google-and-the-world/ http://securityxploded.com/ bruteforcing-filenames-on-webservers-using-dirbuster.php

05.02.2016

Thank you!

Andreas von Studnitz - Magento Worst Practice 39

Don‘t remove the protection of app/etc/local.xml!

05.02.2016

Andreas von Studnitz - Magento Worst Practice 40

Protect your .git folder (if you have any)

v

v

vc

v

v

v

v

v

v

v

v

v

v

v

v

v

05.02.2016 42

Don‘t leave your management tools unprotected!

Update your tools!

v

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

46

Don‘t put your code on GitHub unprotected!

v

v

v

v

v

05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

47

Don‘t include your local.xml!

v

v

v

v

05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

48

Don‘t include your database dumps!

v

v

v

v

05.02.2016

Andreas von Studnitz - Magento Worst Practice 49

Please!

v

v

v

v

05.02.2016

That’s it?

50 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

That’s it?

51

No.

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 Andreas von Studnitz - Magento Worst Practice 52

05.02.2016 Andreas von Studnitz - Magento Worst Practice 53

05.02.2016 54 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 55

If you have a DB management tool freely accessible, at least pre-fill access data! </irony>

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 56 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016 Andreas von Studnitz - Magento Worst Practice 57

No Comment.

05.02.2016

That’s it?

59 Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

That’s it?

60

Yes.

For now.

Looking for more examples

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

05.02.2016

• “Security by Obscurity” doesn’t work

• Keep your stuff up to date

• Stay informed

• For all freely accessible files, double check if they can be misused

• Don’t trust easily

• Do code reviews!

• Recommendation: www.magereport.com

61

Andreas von Studnitz - @avstudnitz - Magento Worst Practice

Conclusion

05.02.2016 Andreas von Studnitz - Magento Worst Practice 62

05.02.2016

Thank you!

63

Contact me:

– http://www.integer-net.com

– http://www.integer-net.de

– avs@integer-net.de

– twitter/GitHub: @avstudnitz

Andreas von Studnitz - @avstudnitz - Magento Worst Practice