Browsing articles in "Security"
Apr 28, 2019
kalpesh

Magento Imagine Dev Exchange 2019

Magento Imagine 2019 is just 2 weeks away, I cannot wait any longer now! This year would be crazy for me, as I am participating in Contribution Days as a Maintainer that happens on Saturday and Sunday before the conference, and also hosting a Dev Exchange table after the conference on Wednesday. Also, this would be my first Imagine from agency side, so things would be different.

As many of you know, I have advocated Magento Security for quite a while now. From submitting core security bugs to adding an entire Security topic in the Magento 2 Professional Developer Plus certification, I realized there is many more things to do. This year I am going to host Dev Exchange where I will share my security ideas and also get ideas and feedback from the community. One very important thing that we would address this year is third-party extensions security. Pablo Benitez, CTO at eBizmarts, will join me bringing in business perspective when talking about third-party extension security. Talesh Seeparsan will bring his past Dev Exchange experiences on security and help us in guiding and noting down all the ideas and feedback that we would discuss with all the participants.

If you are coming to Magento Imagine and would stay little late on Wednesday, please stop by our Dev Exchange table and join the conversation. Here is the topic and details we submitted for Magento Imagine Dev Exchange 2019:

 

 

Make Magento more secure

It’s 2019 and security is a top priority of Magento/Adobe. Every participant in the ecosystem has their part to play to keep merchant stores secure. Let us discuss current low hanging fruits in the ecosystem and share strategies/tools for managing them effectively. For each item we will outline the topic and it’s security shortcomings then begin a deeper investigation into solutions with knowledge and idea sharing before moving to the next one. This is a co-hosted panel: Kalpesh Mehta leading with deep technical security experience and Pablo Benitez bringing the experience and technical/business concerns from an extension developer for a fully rounded conversation. Special thanks to Talesh Seeparsan and Kristof Ringleff for bringing their past Dev Exchange experience around extension security.

1.) Extension Developers write secure code.

With the proactive and nimble approach Magento has taken to core security, many time agencies and merchants find external 3rd party extensions makers have not put in as much effort. How can we encourage their developers to take a more secure coding approach? Can Magento community maintain secure coding practices document like technical guidelines, security? Validate code using a tool like PHP CodeSniffer ? What solutions already exist that we can rely on? What processes already exist that we can implement?

 

2.) Better ways to report vulnerabilities on a merchant’s site

Magento has a bug bounty program to report vulnerabilities in their code and websites. If a user or security researcher finds vulnerabilities in some Magento powered web store, not owned by Magento – an Adobe company, how can they reach out to the right person on the merchant’s team? How to pass the information given the sensitive nature of the issue? Should Magento accept security.txt standard?

 

3.) Code review in community submitted Pull Requests

Is Magento doing security code review when someone submits a PR to core code? What to check for when doing code reviews to identify security risks?

 

4.) Add Security topics in Developer certifications

Magento has already included Security topic in Magento 2 Professional Developer Plus exam. Can we ask Magento to include Security in Associate as well as Developer exam? Can it help developers learn security best practices?

 

All recommendations and suggestions will be documented and shared with the Magento security team and the community afterwards. Remember to keep the privacy of your client intact while discussing vulnerabilities and attacks.

Nov 17, 2016
kalpesh

Magento: Multiple security vulnerabilities in Aheadworks Follow up Email extension

IMPORTANT: If you are using this extension in any of the Magento store, please patch or upgrade it immediately if you have not done it yet. You can find more details on the affected versions and patches here:
https://blog.aheadworks.com/2016/10/security-issue-follow-up-email-vulnerability/
https://blog.aheadworks.com/2016/10/follow-email-security-patch/

While modifying Aheadworks follow up extension on our store to meet our specific requirements, I discovered multiple security vulnerabilities in the extension. As the vulnerabilities were pretty serious, I immediately sent my discoveries to Magento team which they promptly sent to Aheadworks team. Aheadworks was quick enough to fix the vulnerabilities and rolled out the patches.

Link of the extension in Magento Marketplace:
https://marketplace.magento.com/aheadworks-follow-up-email.html
It allows store owners to send automated emails to customers who had abandoned their cart.
Aheadworks follow up email extension

All the below vulnerabilities were found in the extension.

1. SQL injection
2. Directory Traversal vulnerability
Attacker can traverse to any directory on the server. In earlier PHP versions (prior to 5.3.4), attacker can read any file on server including /etc/passwd
3. Unrestricted Directories creation
Attacker can create any number of directories and subdirectories with their desired name wherever web server has permissions

I will not disclose any technical details and PoC of the vulnerabilties here to prevent wild exploits on Magento websites having this extension installed.

Timeline:
Oct 6, 2016 – Discovered the SQL injection vulnerability
Oct 6, 2016 – Emailed the vulnerability to Magento security and marketplace team
Oct 7, 2016 – Emailed the vulnerability to Magento team
Oct 7, 2016 – Magento forwarded my discoveries to Aheadworks team
Oct 11, 2016 – Aheadworks released new version 3.6.6 and patch for older versions of the extension
Oct 25, 2016 – Found further vulnerabilities on the same controller action, this time Directory Traversal and Unrestricted Directories creation vulnerabilities
Oct 25, 2016 – Emailed the details to Magento team, they promptly notified to Aheadworks team
Oct 27, 2016 – Fixed the vulnerabilities in new version 3.6.7 and released the patch for older versions

Welcome to my Blog

Kalpesh MehtaHelping Magento developers in their day-to-day development problems since 2011. Most of the problems and solutions here are my own experiences while working on different projects. Enjoy the blog and don't forget to throw comments and likes/+1's/tweets on posts you like. Thanks for visiting!

Certifications

Recognition

Magento top 50 contributors

Honor

Contributions