View
4
Download
0
Category
Preview:
Citation preview
05.02.2016
Magento Worst Practice
1 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Andreas von Studnitz
2
Magento since 2008
Developer, Consultant, Trainer
Co-Founder integer_net
Aachen, Germany
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 3
Problems Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 4
Problems Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Small Problems
5
• Bad code quality
• Low performance
• Conflicting modules
• Hard to update
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Small Problems
6
• Bad code quality
• Low performance
• Conflicting modules
• Hard to update
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Small Problems
7
• Bad code quality
• Low performance
• Conflicting modules
• Hard to update
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Small Problems
Andreas von Studnitz - Magento Worst Practice 8
• Outdated Magento version
• Not patched
• Conflicting modules
• Low performance
• Hard to update
05.02.2016
Small Problems
Andreas von Studnitz - Magento Worst Practice 9
• Outdated Magento version
• Not patched
• Conflicting modules
• Low performance
• Hard to update
05.02.2016
Real™ Problems:
10
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 11 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Real™ Problems:
12
• Stolen user data (i.e. email addresses, passwords)
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Real™ Problems:
13
• Stolen user data (i.e. email addresses, passwords)
• Stolen payment data (credit card data, PayPal)
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Real™ Problems:
14
• Stolen user data (i.e. email addresses, passwords)
• Stolen payment data (credit card data, PayPal)
• Server misused by hackers (i.e. Spam, DoS, Viruses)
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Real™ Problems:
15
• Stolen user data (i.e. email addresses, passwords)
• Stolen payment data (credit card data, PayPal)
• Server misused by hackers (i.e. Spam, DoS, Viruses)
• Server unavailable
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Real™ Problems:
16
• Stolen user data (i.e. email addresses, passwords)
• Stolen payment data (credit card data, PayPal)
• Server misused by hackers (i.e. Spam, DoS, Viruses)
• Server unavailable
• Server hold to ransom
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 17
Security
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
Real™ Problems:
05.02.2016 18 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 Andreas von Studnitz - Magento Worst Practice 19
17/11/2015
05.02.2016 20
Customer Data and Passwords stolen
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
lib/Varien/Object.php:
05.02.2016 21
Customer and Credit Card Data stolen
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 22
Usernames and Passwords stolen
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 23
Site hacked / encrypted
05.02.2016 24
Site hacked / encrypted
05.02.2016
1. Gain access to Magento admin user account
2. Login to Magento Connect Manager
3. Install custom module from file
4. Catch credit card data from customers
5. Encrypt data and store to predefined image file
25
Real-Life Hack using Magento admin access only:
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
Andreas von Studnitz - Magento Worst Practice 26
What to do?
05.02.2016
The obvious:
27
• Keep your Magento updated
• At least apply security patches
• Keep PHP and other server software up to date
• Only use modules which have been reviewed
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
The obvious:
28
• Keep your Magento updated
• At least apply security patches
• Keep PHP and other server software up to date
• Only use modules which have been reviewed
05.02.2016
The obvious (2):
29
• Don’t use the default admin username / password
• Don’t use common usernames and passwords
• Change the admin URL
• Remove the Magento Connect Manager (“downloader”)
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 30
What NOT to do?
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 31 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 32 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 33 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
email address, name, company, password (hashed), order items (1264 lines)
05.02.2016 34
Full (outdated) database dump
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 35 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
Import script Triggers reindexing
05.02.2016 36
Imports database from file Password protected!
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
But if you don’t know the filename, these issues cannot be exploited! But if you don’t know the filename, these issues cannot be exploited!
37
05.02.2016
But if you don’t know the filename, these issues cannot be exploited!?
38
But if you don’t know the filename, these issues cannot be exploited!
http://www.seochat.com/c/a/google-optimization-help/ hiding-your-sensitive-data-from-google-and-the-world/ http://securityxploded.com/ bruteforcing-filenames-on-webservers-using-dirbuster.php
05.02.2016
Thank you!
Andreas von Studnitz - Magento Worst Practice 39
Don‘t remove the protection of app/etc/local.xml!
05.02.2016
Andreas von Studnitz - Magento Worst Practice 40
Protect your .git folder (if you have any)
v
v
vc
v
v
v
v
v
v
v
v
v
v
v
v
v
05.02.2016 42
Don‘t leave your management tools unprotected!
Update your tools!
v
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
46
Don‘t put your code on GitHub unprotected!
v
v
v
v
v
05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
47
Don‘t include your local.xml!
v
v
v
v
05.02.2016 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
48
Don‘t include your database dumps!
v
v
v
v
05.02.2016
Andreas von Studnitz - Magento Worst Practice 49
Please!
v
v
v
v
05.02.2016
That’s it?
50 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
That’s it?
51
No.
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 Andreas von Studnitz - Magento Worst Practice 52
05.02.2016 Andreas von Studnitz - Magento Worst Practice 53
05.02.2016 54 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 55
If you have a DB management tool freely accessible, at least pre-fill access data! </irony>
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 56 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016 Andreas von Studnitz - Magento Worst Practice 57
No Comment.
05.02.2016
That’s it?
59 Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
That’s it?
60
Yes.
For now.
Looking for more examples
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
05.02.2016
• “Security by Obscurity” doesn’t work
• Keep your stuff up to date
• Stay informed
• For all freely accessible files, double check if they can be misused
• Don’t trust easily
• Do code reviews!
• Recommendation: www.magereport.com
61
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
Conclusion
05.02.2016 Andreas von Studnitz - Magento Worst Practice 62
05.02.2016
Thank you!
63
Contact me:
– http://www.integer-net.com
– http://www.integer-net.de
– avs@integer-net.de
– twitter/GitHub: @avstudnitz
Andreas von Studnitz - @avstudnitz - Magento Worst Practice
Recommended