Security Notice for Magmi Product Importer

The Magmi product importer is used by many Magento stores to quickly and easily import a large number of products. Unfortunately, a recent security vulnerability has been found in Magmi that can allow an attacker to upload malicious code if the Magmi installation is publicly available. This could allow the attacker to gain credit card information or other confidential data from your store. If you use Magmi, we strongly recommend that you remove the code from any publicly accessible directory immediately to limit your risk to this vulnerability. Below you will find instructions for securing access to Magmi using Apache/Litespeed and Nginx.

Apache / Litespeed Instructions


For Apache and Litespeed webservers, the following rules can be added to your .htaccess file in the /magmi directory to secure access to only your trusted IP address:

RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]

RewriteCond %{REMOTE_ADDR} !^199\.199\.199\.199

RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L] 

You will need to change the IP 199.199.199.199 in the line “RewriteCond %{REMOTE_ADDR} !^199\.199\.199\.199″ to your actual IP. Once this has been added, only connections from your IP will be able to access the /magmi URLs!

*Note: The above assumes Magmi is installed in the document root. You may need to change the first line to match your Magmi installation path.

Nginx Instructions


 

For Nginx webservers, you can secure access to the Magmi URL to only your trusted IP by editing your site’s configuration file (typically sites-available/___.conf) and adding the following location block:

location ~* ^/(index.php/)?magmi {

 allow 199.199.199.199;

 deny all;

 location ~* \.(php) {

  include fastcgi_params;

 }

 try_files $uri $uri/ @bootstrap;

}

You will need to change the IP 199.199.199.199 in the line “allow 199.199.199.199;” to your actual IP. Once this has been added, only connections from your IP will be able to access the /magmi URL!

*Note: The above assumes Magmi is installed in the document root. You may need to change the first line in the location block to match your Magmi installation path.


 

It is important to note that most home internet connections are provided with a dynamic IP address, so if your IP changes you will need to update the rules with the new IP address. If you would like to apply this security tip to your store and need assistance, please open a support ticket and our technical support team will be happy to assist you.

Securing Magento’s Admin Dashboard

The Magento Admin Dashboard is the gateway into the core of your eCommerce store, so it is important that you protect this gateway from intruders and malicious activity. Fortunately, you can lock down the Magento Admin Dashboard by just using a few simple modifications.

Apache

To only allow access to the Magento Admin URL from your IP, use the following .htaccess rules:

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC]
RewriteCond %{REMOTE_ADDR} !^199\.199\.199\.199
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

You will need to change the IP 199.199.199.199 in the line “RewriteCond %{REMOTE_ADDR} !^199\.199\.199\.199″ to your actual IP. Once this has been added, only connections from your IP will be able to access the /admin URLs!

Nginx

To only allow access to the Magento Admin URL from your IP, edit your site’s configuration file (typically sites-available/___.conf) and add the following location block:

location ~* ^/(index.php/)?admin {
 allow 199.199.199.199;
 deny all;
 location ~* \.(php) {
  include fastcgi_params;
 }
 try_files $uri $uri/ @bootstrap;
}

You will need to change the IP 199.199.199.199 in the line “allow 199.199.199.199;” to your actual IP. Once this has been added, only connections from your IP will be able to access the /admin URLs!

It is important to note that most home internet connections are provided with a dynamic IP address, so if your IP changes you will need to update the rules with the new IP address. If you would like to apply this security tip to your store and need assistance, please open a support ticket and our technical support team will be happy to assist you.

 

CVE-2014-3566 – Padding Oracle On Downgraded Legacy Encryption attack (POODLE)

A new vulnerability has been found in OpenSSL, the open-source software used to encrypt and secure web communication, that could potentially allow attackers to steal sensitive information normally protected by SSLv3 encryption protocol via a man-in-the-middle style attack. The vulnerability CVE-2014-3566, dubbed the “Padding Oracle On Downgraded Legacy Encryption attack” or “POODLE,” does require access between network devices which makes this less severe than Heartbleed discovered earlier this year.

Even though the severity is lower, Simple Helix still takes this matter very seriously. To secure our users and prevent unauthorized attacks against the content they protect with SSL/TLS encryption, we have taken steps to ensure that all servers we host have been patched against this vulnerability.

If you are using SSL/TLS encryption with a server hosted by Simple Helix, you can rest easy knowing that the appropriate action has been taken to keep your data secure. If you are not currently using SSL/TLS encryption and have an eCommerce presence, then we highly recommend that you get an SSL certificate to provide SSL/TLS encryption for your online store and customers. If you would like help setting up an SSL certificate for your store, please call or open a support ticket and our technical team would be happy to assist you. If you do not already have an SSL certificate, then you can get started for just $49.95 per year if you purchase through Simple Helix: http://simplehelix.com/services/ssl-certificates.

Bash Security Vulnerability CVE-2014-6271

  • September 26th, 2014
  • Posted in Security

securityA serious security vulnerability has been found in the GNU Bourne Again Shell (Bash) commonly used on many Linux and Unix systems. The vulnerability was found in the way that Bash evaluates certain environment variables and could allow a malicious attacker to execute shell commands. This vulnerability is being tracked under CVE-2014-6271.

At Simple Helix, we take this matter very seriously. We closely monitor security reports that would affect systems we host and take measures to ensure all systems are patched and up to date. As soon as we learned of this vulnerability, a plan was put in to place to get all servers patched as soon as possible. We are pleased to report that all servers we manage have been successfully patched as of September 25, 2014.

If you are not currently hosting with Simple Helix and are concerned that your server may be vulnerable, now may be a good time to request a hosting quote!

 

Google to Give Search “Edge” To Websites Utilizing Encryption (SSL)

SSLSecure

Google will soon begin using a new ranking signal based on the encryption utilized by websites (SSL and HTTPS). While this move is welcomed by site owners that already make use of encryption, it may serve as a wake-up call for those developers that still do not implement secure connections by default.

For Magento and e-commerce stores, we highly recommend using encryption to protect the checkout process. This is also required for PCI Compliance certification. If your site does not already have an SSL, fear not, you can purchase one directly from Simple Helix! It is also worth noting that many of our new e-Cart plans come with a free standard SSL by default!

    • Recent Posts