Upload
andreas-von-studnitz
View
702
Download
0
Embed Size (px)
Citation preview
What could possibly go wrong?
Security in Magento Shops
• integer_net (Aken / Germany)
• Consultant / Developer / Trainer / CEO
• Specialist for Magento and Solr
• @avstudnitz
PHOTO
Andreas von Studnitz
PHOTO
Real Life Example
• One line of code added
• Reads all requests in admin and
checkout areas
• Encodes and stores data in media/cache_6e0a32[…]d53ee065da
PHOTO
Real Life Example
• Active for 6 months!
• 5,628 datasets
(email address, name, telephone)
• 1,612 passwords
• All admin usernames and passwords
PHOTO
Magento Unpatched
• Neither installed the latest version
• Nor applied important security patches
• (Insecure PHP version)
PHOTO
Weakly secured Admin Area
• http://magento.site/admin/
• http://magento.site/downloader/
• Username “admin”
• Low security passwords
PHOTO
What can an Attacker do
with Admin Access? (1) 1. Log in
2. Upload a custom extension in the Magento
Connect Manager (downloader)
PHOTO
What can an Attacker do
with Admin Access? (2) 1. Log in
2. Inject custom JavaScript in System
=> Configuration
PHOTO
Security issues in extensions
• Custom or purchased extensions
• SQL Injection, XSS, …
• Backdoors
• Installation service
PHOTO
1. Follow basic Guidelines
• Update Magento and PHP
• Secure the admin area
• Subscribe to the security mailing list