OCT 23 2015

Securing Magento Cacheleak, Backupleak and Sessionleak


4 comments

Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. With such configuration web-server ignoring all or some .htaccess files shipped with Magento distribution or some directives from these files and therefor all private… Read the rest
OCT 18 2015

Securing MAGMI Data Import Tool

MAGMI (Magento Mass Importer), popular Magento Data Import Tool, often is used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of this tool can be abused to gain full access to a Magento installation, especially taking into account… Read the rest
MAY 13 2015

Restrict access to Magento /downloader/


2 comments

We are noticing dynamic increase in robots/crawlers brute-forcing Magento’s /downloader/ locations, trying default admin user with various passwords (mostly dictionary-based) and other popular logins. We seen the bots are trying it continuously (in some cases for several months or years… Read the rest
APR 23 2015

Securing Magento /admin/ by admin path change


6 comments

Default Magento backend URL is set to /admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that… Read the rest