Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz
Magento Worst Practice
Andreas von Studnitz
Magento since 2008
Dev...
Andreas von Studnitz - @avstudnitz
Problems
Andreas von Studnitz - @avstudnitz
Small Problems
• Bad code quality
• Low performance
• Conflicting modules
• Hard to upd...
Andreas von Studnitz - @avstudnitz
Small Problems
• Outdated Magento version
• Not patched
• Conflicting modules
• Low per...
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Real™ Problems:
Security
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
17/11/2015
Andreas von Studnitz - @avstudnitz
Customer data and passwords
stolen
lib/Varien/Object.php:
Andreas von Studnitz - @avstudnitz
Usernames and passwords stolen
Andreas von Studnitz - @avstudnitz
Site hacked / encrypted
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Top 10
Worst Magento
Practices
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#10
Downloadable Code
Andreas von Studnitz - @avstudnitz
Protect your .git folder
(if you have any)
Andreas von Studnitz - @avstudnitz
Don‘t put your code on GitHub
unprotected!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#9
Downloadable Data
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
email address, name,
company, password
(hashed), order items
(1264 lines)
Full (outdate...
Andreas von Studnitz - @avstudnitz
But if you don’t know the filename,
these issues cannot be exploited!
http://www.seocha...
Andreas von Studnitz - @avstudnitz
Don‘t put your database dumps
on GitHub!
Andreas von Studnitz - @avstudnitz
Please!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#8
Unprotected
Executables
Andreas von Studnitz - @avstudnitz
Import script;
triggers reindexing
Imports database from file
Andreas von Studnitz - @avstudnitz
• Don’t call your scripts from the browser –
use the shell instead
• Put your executabl...
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#7
Unprotected
Database Credentials
Andreas von Studnitz - @avstudnitz
Don‘t remove the protection of
app/etc/local.xml!
Andreas von Studnitz - @avstudnitz
Don‘t put your
local.xml on GitHub!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#6
Unsecured Admin
Andreas von Studnitz - @avstudnitz
• Don’t use the default admin username /
password
• Don’t use common usernames and
pass...
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#5
Unsecured Tools
Andreas von Studnitz - @avstudnitz
Don‘t leave your management
tools unprotected!
Update your tools!
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#4
Patches not applied
Andreas von Studnitz - @avstudnitz
Example: Shoplift Bug
(patched February 2015)
Andreas von Studnitz - @avstudnitz
50,581
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255,55...
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#3
Insecure Modules
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#2
Database Tools
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
If you have a DB management tool freely accessible,
at least pre-fill access data!
</ir...
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
No comment.
Andreas von Studnitz - @avstudnitz
Top 10 Worst Magento Practices
#1
Backdoors
Andreas von Studnitz - @avstudnitz
That‘s it?
Yes.
For now.
Looking for more examples 
Andreas von Studnitz - @avstudnitz
Real™ Problems:
• Stolen user data
• Stolen payment data
• Server misused by hackers
• ...
Andreas von Studnitz - @avstudnitz
Security Basics
• “Security by Obscurity” doesn’t work
• Keep your stuff up to date
• S...
Andreas von Studnitz - @avstudnitz
Andreas von Studnitz - @avstudnitz
Thank you!
PHOTO
Please contact me!
@integer_net www.integer-net.com
@avstudnitz avs@in...
Upcoming SlideShare
Loading in …5
×

Magento Worst Practice (Meet Magento Poland 2016)

507 views

Published on

During years of working with Magento, Andreas von Studnitz has seen a lot of Magento shops. Not all of them were in a good shape, and this presentation will expose the most hair-raising issues. Some problems are obvious, some are not, but all are either dangerous, make Magento slow or are extremely ugly. Learn how to avoid the worst mistakes when setting up and running Magento.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Magento Worst Practice (Meet Magento Poland 2016)

  1. 1. Andreas von Studnitz - @avstudnitz Andreas von Studnitz Magento Worst Practice
  2. 2. Andreas von Studnitz - @avstudnitz Andreas von Studnitz Magento Worst Practice Andreas von Studnitz Magento since 2008 Developer, Consultant, Trainer Co-Founder integer_net Aachen, Germany
  3. 3. Andreas von Studnitz - @avstudnitz Problems
  4. 4. Andreas von Studnitz - @avstudnitz Small Problems • Bad code quality • Low performance • Conflicting modules • Hard to update Small Problems
  5. 5. Andreas von Studnitz - @avstudnitz Small Problems • Outdated Magento version • Not patched • Conflicting modules • Low performance • Hard to update
  6. 6. Andreas von Studnitz - @avstudnitz
  7. 7. Andreas von Studnitz - @avstudnitz Real™ Problems: Security
  8. 8. Andreas von Studnitz - @avstudnitz
  9. 9. Andreas von Studnitz - @avstudnitz 17/11/2015
  10. 10. Andreas von Studnitz - @avstudnitz Customer data and passwords stolen lib/Varien/Object.php:
  11. 11. Andreas von Studnitz - @avstudnitz Usernames and passwords stolen
  12. 12. Andreas von Studnitz - @avstudnitz Site hacked / encrypted
  13. 13. Andreas von Studnitz - @avstudnitz
  14. 14. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices
  15. 15. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #10 Downloadable Code
  16. 16. Andreas von Studnitz - @avstudnitz Protect your .git folder (if you have any)
  17. 17. Andreas von Studnitz - @avstudnitz Don‘t put your code on GitHub unprotected!
  18. 18. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #9 Downloadable Data
  19. 19. Andreas von Studnitz - @avstudnitz
  20. 20. Andreas von Studnitz - @avstudnitz email address, name, company, password (hashed), order items (1264 lines) Full (outdated) database dump
  21. 21. Andreas von Studnitz - @avstudnitz But if you don’t know the filename, these issues cannot be exploited! http://www.seochat.com/c/a/ google-optimization-help/hiding- your-sensitive-data-from-google- and-the-world/ http://securityxploded.com/ bruteforcing-filenames-on- webservers-using-dirbuster.php ?
  22. 22. Andreas von Studnitz - @avstudnitz Don‘t put your database dumps on GitHub!
  23. 23. Andreas von Studnitz - @avstudnitz Please!
  24. 24. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #8 Unprotected Executables
  25. 25. Andreas von Studnitz - @avstudnitz Import script; triggers reindexing Imports database from file
  26. 26. Andreas von Studnitz - @avstudnitz • Don’t call your scripts from the browser – use the shell instead • Put your executables into “shell” instead of the main directory • Remove unneeded scripts
  27. 27. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #7 Unprotected Database Credentials
  28. 28. Andreas von Studnitz - @avstudnitz Don‘t remove the protection of app/etc/local.xml!
  29. 29. Andreas von Studnitz - @avstudnitz Don‘t put your local.xml on GitHub!
  30. 30. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #6 Unsecured Admin
  31. 31. Andreas von Studnitz - @avstudnitz • Don’t use the default admin username / password • Don’t use common usernames and passwords • Change the admin URL • Remove the Magento Connect Manager (“downloader”)
  32. 32. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #5 Unsecured Tools
  33. 33. Andreas von Studnitz - @avstudnitz Don‘t leave your management tools unprotected! Update your tools!
  34. 34. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #4 Patches not applied
  35. 35. Andreas von Studnitz - @avstudnitz Example: Shoplift Bug (patched February 2015)
  36. 36. Andreas von Studnitz - @avstudnitz 50,581 Source: byte.nl, April 2016 Magento shops vulnerable to Shoplift: (out of 255,558)
  37. 37. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #3 Insecure Modules
  38. 38. Andreas von Studnitz - @avstudnitz
  39. 39. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #2 Database Tools
  40. 40. Andreas von Studnitz - @avstudnitz
  41. 41. Andreas von Studnitz - @avstudnitz If you have a DB management tool freely accessible, at least pre-fill access data! </irony>
  42. 42. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #1
  43. 43. Andreas von Studnitz - @avstudnitz
  44. 44. Andreas von Studnitz - @avstudnitz
  45. 45. Andreas von Studnitz - @avstudnitz No comment.
  46. 46. Andreas von Studnitz - @avstudnitz Top 10 Worst Magento Practices #1 Backdoors
  47. 47. Andreas von Studnitz - @avstudnitz That‘s it? Yes. For now. Looking for more examples 
  48. 48. Andreas von Studnitz - @avstudnitz Real™ Problems: • Stolen user data • Stolen payment data • Server misused by hackers • Server unavailable • Server hold to ransom
  49. 49. Andreas von Studnitz - @avstudnitz Security Basics • “Security by Obscurity” doesn’t work • Keep your stuff up to date • Stay informed • For all freely accessible files, double check if they can be misused • Don’t trust easily • Do code reviews! • Recommendation: www.magereport.com
  50. 50. Andreas von Studnitz - @avstudnitz
  51. 51. Andreas von Studnitz - @avstudnitz Thank you! PHOTO Please contact me! @integer_net www.integer-net.com @avstudnitz avs@integer-net.com

×