This document outlines the top 10 worst Magento practices for security. It discusses leaving code, data, executables, database credentials, admin interfaces, and tools unprotected. Specific problems mentioned include outdated Magento versions and modules, unpatched vulnerabilities, downloadable code repositories and database dumps, and backdoors. The presentation emphasizes that security requires keeping everything updated, limiting access, and double checking for potential misuse of exposed files and interfaces.

1. Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice

2. Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz
Magento since 2008
Developer, Consultant,
Trainer
Co-Founder integer_net
Aachen, Germany

3. Andreas von Studnitz - @avstudnitz
Problems

4. Andreas von Studnitz - @avstudnitz
Small Problems
• Bad code quality
• Low performance
• Conflicting modules
• Hard to update
Small Problems

5. Andreas von Studnitz - @avstudnitz
Small Problems
• Outdated Magento version
• Not patched
• Conflicting modules
• Low performance
• Hard to update

6. Andreas von Studnitz - @avstudnitz

7. Andreas von Studnitz - @avstudnitz
Real™ Problems:
Security

8. Andreas von Studnitz - @avstudnitz

9. Andreas von Studnitz - @avstudnitz
17/11/2015

10. Andreas von Studnitz - @avstudnitz
Customer data and passwords
stolen
lib/Varien/Object.php:

11. Andreas von Studnitz - @avstudnitz
Usernames and passwords stolen

12. Andreas von Studnitz - @avstudnitz
Site hacked / encrypted

13. Andreas von Studnitz - @avstudnitz

14. Andreas von Studnitz - @avstudnitz
Top 10
Worst Magento
Practices

15. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#10
Downloadable Code

16. Andreas von Studnitz - @avstudnitz
Protect your .git folder
(if you have any)

17. Andreas von Studnitz - @avstudnitz
Don‘t put your code on GitHub
unprotected!

18. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#9
Downloadable Data

19. Andreas von Studnitz - @avstudnitz

20. Andreas von Studnitz - @avstudnitz
email address, name,
company, password
(hashed), order items
(1264 lines)
Full (outdated)
database dump

21. Andreas von Studnitz - @avstudnitz
But if you don’t know the filename,
these issues cannot be exploited!
http://www.seochat.com/c/a/
google-optimization-help/hiding-
your-sensitive-data-from-google-
and-the-world/
http://securityxploded.com/
bruteforcing-filenames-on-
webservers-using-dirbuster.php
?

22. Andreas von Studnitz - @avstudnitz
Don‘t put your database dumps
on GitHub!

23. Andreas von Studnitz - @avstudnitz
Please!

24. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#8
Unprotected
Executables

25. Andreas von Studnitz - @avstudnitz
Import script;
triggers reindexing
Imports database from file

26. Andreas von Studnitz - @avstudnitz
• Don’t call your scripts from the browser –
use the shell instead
• Put your executables into “shell” instead of
the main directory
• Remove unneeded scripts

27. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#7
Unprotected
Database Credentials

28. Andreas von Studnitz - @avstudnitz
Don‘t remove the protection of
app/etc/local.xml!

29. Andreas von Studnitz - @avstudnitz
Don‘t put your
local.xml on GitHub!

30. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#6
Unsecured Admin

31. Andreas von Studnitz - @avstudnitz
• Don’t use the default admin username /
password
• Don’t use common usernames and
passwords
• Change the admin URL
• Remove the Magento Connect Manager
(“downloader”)

32. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#5
Unsecured Tools

33. Andreas von Studnitz - @avstudnitz
Don‘t leave your management
tools unprotected!
Update your tools!

34. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#4
Patches not applied

35. Andreas von Studnitz - @avstudnitz
Example: Shoplift Bug
(patched February 2015)

36. Andreas von Studnitz - @avstudnitz
50,581
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255,558)

37. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#3
Insecure Modules

38. Andreas von Studnitz - @avstudnitz

39. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#2
Database Tools

40. Andreas von Studnitz - @avstudnitz

41. Andreas von Studnitz - @avstudnitz
If you have a DB management tool freely accessible,
at least pre-fill access data!
</irony>

42. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1

43. Andreas von Studnitz - @avstudnitz

44. Andreas von Studnitz - @avstudnitz

45. Andreas von Studnitz - @avstudnitz
No comment.

46. Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1
Backdoors

47. Andreas von Studnitz - @avstudnitz
That‘s it?
Yes.
For now.
Looking for more examples 

48. Andreas von Studnitz - @avstudnitz
Real™ Problems:
• Stolen user data
• Stolen payment data
• Server misused by hackers
• Server unavailable
• Server hold to ransom

49. Andreas von Studnitz - @avstudnitz
Security Basics
• “Security by Obscurity” doesn’t work
• Keep your stuff up to date
• Stay informed
• For all freely accessible files, double check
if they can be misused
• Don’t trust easily
• Do code reviews!
• Recommendation: www.magereport.com

50. Andreas von Studnitz - @avstudnitz

51. Andreas von Studnitz - @avstudnitz
Thank you!
PHOTO
Please contact me!
@integer_net www.integer-net.com
@avstudnitz avs@integer-net.com