This document outlines the top 10 worst Magento practices for security. It discusses leaving code, data, executables, database credentials, admin interfaces, and tools unprotected. Specific problems mentioned include outdated Magento versions and modules, unpatched vulnerabilities, downloadable code repositories and database dumps, and backdoors. The presentation emphasizes that security requires keeping everything updated, limiting access, and double checking for potential misuse of exposed files and interfaces.
2. Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz
Magento since 2008
Developer, Consultant,
Trainer
Co-Founder integer_net
Aachen, Germany
20. Andreas von Studnitz - @avstudnitz
email address, name,
company, password
(hashed), order items
(1264 lines)
Full (outdated)
database dump
21. Andreas von Studnitz - @avstudnitz
But if you don’t know the filename,
these issues cannot be exploited!
http://www.seochat.com/c/a/
google-optimization-help/hiding-
your-sensitive-data-from-google-
and-the-world/
http://securityxploded.com/
bruteforcing-filenames-on-
webservers-using-dirbuster.php
?
24. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#8
Unprotected
Executables
25. Andreas von Studnitz - @avstudnitz
Import script;
triggers reindexing
Imports database from file
26. Andreas von Studnitz - @avstudnitz
• Don’t call your scripts from the browser –
use the shell instead
• Put your executables into “shell” instead of
the main directory
• Remove unneeded scripts
27. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#7
Unprotected
Database Credentials
28. Andreas von Studnitz - @avstudnitz
Don‘t remove the protection of
app/etc/local.xml!
30. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#6
Unsecured Admin
31. Andreas von Studnitz - @avstudnitz
• Don’t use the default admin username /
password
• Don’t use common usernames and
passwords
• Change the admin URL
• Remove the Magento Connect Manager
(“downloader”)
32. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#5
Unsecured Tools
33. Andreas von Studnitz - @avstudnitz
Don‘t leave your management
tools unprotected!
Update your tools!
34. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#4
Patches not applied
35. Andreas von Studnitz - @avstudnitz
Example: Shoplift Bug
(patched February 2015)
36. Andreas von Studnitz - @avstudnitz
50,581
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255,558)
37. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#3
Insecure Modules
47. Andreas von Studnitz - @avstudnitz
That‘s it?
Yes.
For now.
Looking for more examples
48. Andreas von Studnitz - @avstudnitz
Real™ Problems:
• Stolen user data
• Stolen payment data
• Server misused by hackers
• Server unavailable
• Server hold to ransom
49. Andreas von Studnitz - @avstudnitz
Security Basics
• “Security by Obscurity” doesn’t work
• Keep your stuff up to date
• Stay informed
• For all freely accessible files, double check
if they can be misused
• Don’t trust easily
• Do code reviews!
• Recommendation: www.magereport.com