While unpatched installations of Magento 2 contain many vulnerabilities, I’m going to focus my attention on Magento 1 for this article. This is because Magento 2 provides regularly updated patches for many of the most common vulnerabilities targeting the platform. While Magento 1 also contains patches for many known vulnerabilities, those patches are not currently maintained.
Magento 1 reached its end-of-support on June 30, 2020. When Magento 2 was released, the focus was to improve security, include speed improvements, support the latest PHP installations, include SEO optimizations and provide a more user-friendly interface.
Continue reading 7 Ways to Secure Magento 1 at Sucuri Blog.
From answering beginner questions like ‘What is SEO spam?’ to breaking down the spammers’ code and exactly how they hide their injections in compromised websites, we have written regularly about spam at Sucuri.
If you’ve ever operated a WordPress website you will have certainly seen, at the very least, a litany of spam comments posted on your comments section. Typically what first comes to mind are links to spam sites informing you about cut-price pharmaceuticals that could improve your love life.
Continue reading A Short History of Essay Spam (How We Got from Pills to Plagiarism) at Sucuri Blog.
Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of 18 security vulnerabilities patched according to Adobe, although they list only 16 specific issues in the patch notes. Eleven of these issues are considered critical and five considered important, ranked by CWE standards. Ten of these vulnerabilities do not require any authentication whatsoever in order to be exploited, whereas the remaining six do require an admin account.
Continue reading Adobe Patches Critical Magento Vulnerabilities in Recent Update at Sucuri Blog.
Web form security — the set of tools and practices intended to protect web forms from attacks and abuse — is one of the most critical aspects of overall website security. Web forms allow users to interact with your site and enable a lot of useful functionality. However, once a user can interact with your site to do something useful there is a new attack surface for a hacker to exploit.
To help you get the usability benefits of web forms while limiting the security risks we’ve created this list of best practices for web form security.
Continue reading Best Practices for Web Form Security at Sucuri Blog.
During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection.
One such backdoor was appended to the Magento core file /errors/503.php:
This sample takes user input from the “ID” URL parameter and builds a reflection function, where the object stored in the $func variable will now reflect whichever function the attacker passed as input.
Continue reading Examining Unique Magento Backdoors at Sucuri Blog.