Category Archives: Security

How Can I Remove Malware For My Magento Store

I have a Magento store but got malware last week. How can I find our the malware codes from my Magento store and remove it

To remove malware by yourself, you will need programming skills. It is not easy and may take your time to identify the malware codes.

However, it does not mean you can do nothing. you still can use plugin/extension to scan your site.

1. Remove malware from Magento via cPanel virus scanner

if you are using cPanel, log in the cPanel and move to “advanced” section. Then click “Virus Scanner” to scan your Magento store ( you can scan Mail, Entire Home Directory, Public FTP Space, Public Web Space).

* This method only for cPanel & WHM version 62 or over.
* This method only can be found if you / your hosting provider install the ClamAV Scanner software in WHM’s Manage Plugins interface (Home >> cPanel >> Manage Plugins).

2. Remove malware from Magento if you are using VPS/Dedicated server

If you have a Magento store host on a VPS or Dedicated Server, you need to install Linux virus scanner software. e.g “Linux Malware Detect”

Once installed the software, just run the command

and see the results.

To make your site secure, find a good hosting always is the easy way.

SiteGround is the best choice, which I have used for my clients over the last 3 years.
They have Magento plans which are using Magento Optimized Server, so can make both yours and your customers’ experience with your Magento store really fast and enjoyable and help you to increase the conversation rate.
Also, SiteGround offer site scanning service – SG Site Scanner (It is powered by one of the most prominent web security experts – Sucuri.net,) which scans all the pages that are linked on your website homepage (or any other page you have select) on a daily basis.

What Is Mangeto Security Patch SUPEE-7405

New Magento security patch SUPEE-7405 was released, what security issues have been solved

Most of the changes are html escaping and data sanitizing regarding XSS issues.

1. Form key validation has been added to the admin login, admin forgot password, admin reset password and frontend cart delete action.

2. A new validator to check if an uploaded file is an image

3. A new Import/Export section appears : System => Escape CSV Fields

4. Events are now dispatched all lower case.

5. New event dispatched: admin_user_validate

6. SVG is not a valid favicon extension anymore

7. New Zend class: Zend_Xml_Security. Its purpose is to scan XML string for potential XXE and XEE attacks.

8. Files uploaded via admin panel are now not world readable by default

9. Directories are also not world executable

10.Add data escaping for frontend template

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Stored XSS via email address – APPSEC-1213
    During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.
  2. Stored XSS in Order Comments – APPSEC-1239
    A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.
  3. Stored XSS in Order – APPSEC-1260
    In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting.
  4. Guest order view protection code vulnerable to brute-force attack – APPSEC-1270
    The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.
  5. Information Disclosure in RSS feed – APPSEC-1171
    You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.
  6. CSRF token not validated on backend login page – APPSEC-1206
    The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding.
  7. Malicious files can be upload via backend – APPSEC-1306
    An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.
  8. CSRF leading to execution of admin actions after login – APPSEC-1179
    A user can execute a CSRF attack on URLs that result in a server-side action (such as deleting customers) when the administrator is logged out. This action is not executed until the administrator logs in after the attack. The attack relies upon phishing — that is, it requires the administrator to click on a malicious link — and requires the administrator to log in after the attack.
  9. Excel Formula Injection via CSV/XML export – APPSEC-1110
    We have found an additional attack path not covered by issue APPSEC-978, which was resolved in patch https://magento.com/security/patches/supee-5994 for Magento 1.x.A user can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. This formula could modify data, export personal data to another site, or cause remote code execution. The spreadsheet typically displays a warning message, which the user must dismiss, for the attack to succeed.Note: The code that protects against this attack modifies the exported file by prepending some fields with a space. As a result, this fix can lead to data inconsistency. (Data inconsistency might occur when fields, such as product name or description, start from =, + or – sign.)

    If this fix causes problems with your data processing, you can disable it. Be aware, however, that this protection is enabled by default. Disabling can lead to an increased security risk.

    To disable this fix, log in to the Admin Panel, then use the System tab to navigate to the Export CSV fields.

  10. XSS in Product Custom Options – APPSEC-1267
    When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator.
  11. Editing or Deleting Reviews without permission – APPSEC-1268
    Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store.
  12. Disruption of email delivery – APPSEC-1177
    An error in the email address associated with a store newsletter can interfere with the sending of newsletter email. This error can constitute a Denial of Service attack. In some cases, including accented characters can generate this error.
  13. CAPTCHA Bypass – APPSEC-1283
    A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts.
  14. Admin path disclosure via Authorize.net – APPSEC-1208
    A user can identify the URL for the Magento Admin Panel by calling Authorize.net payment module URLs. While exposure of the Admin path isn’t a direct security issue, it makes it easier to carry out other malicious attacks, including password guessing or phishing.
  15. XSS Payload in website’s translation table – APPSEC-1214
    When inline translations are enabled on the frontend, a user can inject a translation string that contains JavaScript code. This JavaScript code will be later included and executed on the affected pages for all users, which can lead to a session takeover or an information disclosure. This is a low risk issue as inline translations should never be enabled without limits on a production site.
  16. CSRF Delete Items from Cart – APPSEC-1212
    Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart.
  17. XSS via custom options – APPSEC-1276
    A user can insert XSS JavaScript into a custom option title when creating it on the server side. The code can then be executed on the Magento frontend. Although this vulnerability does not directly enable a malicious attack on a store, such unvalidated input should not be allowed in a Magento installation.
  18. Risky serialized string filtering – APPSEC-1204
    Magento includes code to sanitize serialized strings and raises errors when an object is included. This code potentially allows specially crafted serialized objects to be unserialized by Magento, which can lead to possible malicious code execution. While the issue itself is not exploitable, a user can combine it with other attacks to support remote code execution.
  19. Reflected XSS in backend coupon entry – APPSEC-1305
    When working with an order that contains items in the shopping cart, an administrator can enter JavaScript into the coupon code field of the Manage Shopping Cart page. This JavaScript can be executed later. While this feature is not an exploitable security issue, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.
  20. Injected code can be stored in database – APPSEC-1240
    JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.)

Additionally, the patch resolves issues identified by Magento merchants after installing previous security patches:

  • URLs are redirected to 404 page or installer
  • Caching issues when running PHP 5.3.3 without PHP-FPM
  • Block permissions code issue
  • Password forgotten link redirects to login page
  • Administrator password can be reused (Enterprise Edition only)

WordPress XML-RPC Brute Force Attacks With Multiple Logins

Recently, my WordPress site was attacked by XML-RPC Brute Force, I would like how to protect this kind of attack or any patch I can install

Brute Force attacks are one of the oldest and most common types of attacks. In fact, Brute Force attacks against any CMS. XML-RPC is a simple, portable way to make remote procedure calls over HTTP. It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. WordPress, Drupal and most content management systems support XML-RPC. One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. So the attackers could try thousands of passwords with only 3 or 4 HTTP requests.

You can do following methods to protect your site.

1. If you have a dedicated server, you can install OSSEC
2. If you dont need XML-RPC, you can block all access to xmlrpc.php
3. If you can’t block XML-RPC, you can block system.multicall requests only

What Is Magento Security Patch – SUPEE-1533

A security patch SUPEE-1533 for Magento has been released on 3/Oct/2014, What has been changed and any known exploits for Magento ?

Magento released a new security patch – SUPEE-1533 with multiple critical security fixes. Patch SUPEE-1533 addresses two potential remote code execution exploits.

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Remote code execution exploits
    1. Enable an attacker to execute arbitrary code on your Magento server.
    2. Create files with a .csv extension, create writable directories, and change the permission of existing files to world-writable (777).

What Will Be The Major Changes From Magento Patch Security SUPEE-5344

What will be the major changes in the files after installation of patch SUPEE-5344 for Magento?I mean that any particular files permission changes something like that…

This patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store.

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Remote Code Execution
    Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.

What Is Magento Security Patch – SUPEE-5994

A security patch SUPEE-5994 for Magento has been released on 14/May/2015, What has been changed and any known exploits for Magento ?

Magento released a new security patch – SUPEE-5994 with multiple critical security fixes. Patch SUPEE-5994 addresses a range of issues, including scenarios where attackers can gain access to customer information.

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Admin Path Disclosure
    An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
  2. Customer Address Leak through Checkout
    Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.
    During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.
    This attack can be fully automated, and a functional proof of concept exists.
  3. Customer Information Leak through Recurring Profile
    This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers.
    The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.
    This attack can be fully automated, and a manual proof of concept exists.
  4. Local File Path Disclosure Using Media Cache
    Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
  5. Cross-site Scripting (XSS) Using Magento Downloader
    This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
  6. Cross-site Scripting (XSS) Using Magento Downloader
    This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
  7. Spreadsheet Formula Injection
    Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
  8. Cross-site Scripting Using Authorize.Net Direct Post Module
    Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.
  9. Malicious Package Can Overwrite System Files
    Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.

What Magento Has Been Changed With SUPEE-6285

A new security patch SUPEE-6285 for Magento has been released on 7/July/2015, I would like to know what has been changed and any known exploits of Magento

The patch – SUPEE-6285 addresses 8 issues with both products.

Version:Issues Addressed with Patch:
Magento Community / Enterprise Edition
  1. Customer Information Leak via RSS and Privilege Escalation
    Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts.
  2. Request Forgery in Magento Connect Leads to Code Execution
    Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.
  3. Cross-site Scripting in Wishlist
    This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.
  4. Cross-site Scripting in Cart
    The redirection link on an empty cart page uses non-validated user input, which makes it possible to use URL parameters to inject JavaScript code into the page.
    Cookies and other information can be sent to the attacker, who is impersonating a customer.
  5. Store Path Disclosure
    Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.
  6. Permissions on Log Files too Broad
    Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.
  7. Cross-site Scripting in Admin
    An attacker can inject JavaScript into the title of a Widget from the Magento Admin. The code can be later executed when another administrator opens the Widget page.
    The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts.
  8. Cross-site Scripting in Orders RSS
    The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.

What Is Magento Security Patch SUPEE-6482

There was a new security patch – SUPEE-6482 released on 04/Aug/2015, I would like to know what are the possible attacks that could affect and un patched shop and worst that could happen?

The patch – SUPEE-6482 addresses 4 issues with both products. Instead, the patch addresses 2 issues with Community Edition and 4 issues with Enterprise Edition.

Version:Issues Addressed with Patch:
Magento Community Edition
  1. Autoloaded File Inclusion in Magento SOAP API
    Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
  2. SSRF Vulnerability in WSDL File
    Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
Magento Enterprise Edition
  1. Autoloaded File Inclusion in Magento SOAP API
    Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
  2. SSRF Vulnerability in WSDL File
    Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
  3. Cross-site Scripting Using Unvalidated Headers
    Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.
  4. XSS in Gift Registry Search
    Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.

 

Zero Day Vulnerability in FancyBox for WordPress

Zero Day Vulnerability in FancyBox for WordPress

A serious zero day vulnerability ( a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it ) has been discovered from WordPress FancyBox plugin. An initial fix has been released so if you use this plugin on any of your sites, please update immediately to at least version 3.0.4 of this plugin.