If you're one of millions using Magento – stop whatever you're doing and patch now A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update. Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for …
Magento does the reverse. Store anything, sanitize the output for proper application.
With proper use of parameterized queries, the XKCD joke never works, no input sanitization needed.
I'm kind of a belt and suspenders type guy and like the idea of taking junk out both coming and going, however; I've had it proved several times as to how input santization can totally fail.
I think security has to do with that defense in depth thing.
Javascript validation huh? I think I know how such a secure system can be bypassed.
> curl --data 'email=%3Cscript%3Ealert+%28%22owned%2C+beeyotch%21%22%29%3C%2Fscript%3Eme%40email.com' -X POST http://my.magento.installation.com/register.php
If your validation is client side only then you have no validation. It's rule freaking one of developing an app. Be like Fox Mulder when it comes to user supplied input and trust no-one.
A newbie developer can be forgiven for making a mistake like that (after they've had it beaten into them not to do it again of course). A "professional" outfit like Magento should know better.
Myhandler, No, I don't think that's ok, and Passive Smoking's post illustrates exactly the reason why.
Now step back to SUPEE-5344 where a similar trick could be used to directly inject Admin accounts into the Admin user database with full administrative access. The patch was released in February but not really announced besides just having a download link on their website. They got in a dead panic about announcing the need to patch somewhere in April because the people who found it decided to publish. Man that was a three ring circus...
...that this has nothing (NOTHING) to do with using shoddily weakly typed languages like Pointy Haired Programming and would have been inevitable even if the whole thing were written in something with a type safety and didn't allow EXECing of strings.
Glad that's out of the way.
The fact Magento hasn't baked an update system in to the CMS. I'm in a new role at a company that runs three Magento shops, two of them are a version behind the most recent 1.x installation. I have to put all of them in maintenance mode, then run a shell script on each of them to do the update.
Why, in 2016, can there not be a better way of doing this? There will be retailers across the world who have no idea what's going on, and they won't know about this update. They'll dismiss the popup and think "Well the site still works so it must be OK". The computer guys who set the site up won't inform them, and if they do they'll demand a large sum of money to do the work - which again will probably result in a "No it's OK it's fine" from the retailer.
Still, it's early AM here in the UK, I'm sure the script kiddies are in bed asleep.
I hope.
I agree, the update system (of lack of one) is shockingly poor, made worse by the "add-ons system" which 9/10 just involves copy-pasting over core files (now often meaning patches can't be applied).
Not good enough from a platform which has had several massive security holes in the last couple of years
Care to drop me a line about this? I think the email attached to my pieces here still works. If not, timworstallAT"taxdodger"gmail.com does.
I'm looking around for an entry level service that we might offer (me and my team of Czechs) and this is the second Magento problem I've seen in a couple of months.
"We patch your Magento system for $20" might be something we could usefully do. Or some other similar sort of price. Would love to get some guidance from those who know whether that's something that might fly.
I'd be seriously careful about this, we've had to do patches across multiple client websites and some of the recent ones caused compatibility problems with modules which had been installed, meaning we then had to go ahead and patch all the modules too. Not saying it's not a possible business opportunity, but make sure you know what's installed before giving any estimates
I have to reiterate the AC's comment.
I've applied the patch to two out of the three stores. So far so good. But the third one is just sprawling with issues at the moment, mostly down to the lack of updates going before it.
The problem you will have is that giving a fixed price to do an upgrade like this would be opening yourself up to a whole host of issues. Compatibility of modules, compatibility with custom code hidden in the bowels of the installation, and just the unknown of how the store was maintained - if at all - in the first place. Case in point being my third store, it hasn't been updated like the others, and I've no documentation for any work done on the three shops. Period.
Even beyond that, the more complicated the site is the more likely people would be tempted to go the fixed cost route, just because of the expense your average agency would quote. It's possible to build a company around doing simple jobs for Magento, but this is probably the worst area to look into
I'm thinking of it more as a way to advertise an agency that does magento. But everyone's warnings much appreciated: and once they've been made I can see the relevance of them too.
The current project is much more fun: mapping tornado damage for FEMA in a Ruby/Rails system.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
