Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Varian care to comment on any of the security issues with Magento? 
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

I’d really like to know why they avoid it. I can not believe some bigtime merchant is truly considering this as a secure ecommerce platform.

 
Magento Community Magento Community
Magento Community
Magento Community
 
hydra
Guru
 
Avatar
Total Posts:  378
Joined:  2008-08-26
Amsterdam
 

Maybe you can tell us what security issue’s you are referring to?
.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

I’m sorry I’m just a bit upset. Looking at the latest update I know the team is working hard to fix some of the issues with Magento but I believe they’ve taken another route to this truly remaining an open source platform. Money takes presidence over everything I realize but ..... I better stop here.

I’m just so pissed at how much time and development effort it would take to repair a merchants site that I recommended Magento on.

I’m looking into updating now so I’ll save some of my comments for a later time. The thing is I don’t see anywhere in the resolved issues some of the security concerns I along with others have addressed within this thread.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

Also this forum needs to be replaced with something that going to withstand the usage. This has got to be the worst forum as far as responce times for browsing and submitting.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Web2Market
Jr. Member
 
Avatar
Total Posts:  20
Joined:  2008-10-25
Alsip, IL
 

I’m confused. There were 4 messages in this thread (now 5) and 3 of them were from you, but none of them mention any specific security issues. What are they?

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I’m with amiller. What are you talking about gfxguru?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Dannyz1984
Sr. Member
 
Avatar
Total Posts:  153
Joined:  2009-04-12
 

you got a sanitized search bar, theres no other user input from the clients end that i can think off the top of my head that would pose as a security risk. 

i think all core files are 403 forbidden.

other general things you should be worried about as security issues is brute force admin backend

and DoS attacks

 
Magento Community Magento Community
Magento Community
Magento Community
 
Incognito
Guru
 
Total Posts:  322
Joined:  2008-08-07
Michigan
 

Cross Site Scripting (XSS) Vulnerability
But those have been fixed

You can set magento up to make it so security vulnerabilities will not really cause much of a disturbance.  Just keep a back up on the server ready to go ex www and wwwbk.  If something bad happens you can just change the name of www to wwwBAD and wwwbk to www and load the backup of the db.  Also make sure that you file permissions are set up correctly, no chmod -R 777 www.  This means that you will not be able to use magento connect to install extensions unless you temporally change file permissions.  Also don’t store the cc #s.

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 
Incognito - 22 October 2009 06:11 AM

Also make sure that you file permissions are set up correctly, no chmod -R 777 www.  This means that you will not be able to use magento connect to install extensions unless you temporally change file permissions.

Actually this only applies to hosting providers who are not running suPHP/suEXEC, which is a big headache to users as it may pose some security risks to the hosting users.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

Brute force attack? And has the team truly fixed the XSS vulnerabilities?

Has anyone run a scan from a third party PCI compliance org…

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 

yea I get that stupid e-mail once a week. It hasn’t failed yet.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top