Peter O'Callaghan

Thoughts on Development, Magento and Security
  • email
  • twitter
  • Home
  • About
Select Page ...

Logs, Logs, Wherefore Art Thou Logs?

December 6, 2017 Magento

The recently released SUPEE-10415 patch introduced some changes relating to validation of the log file paths before writing to them (APPSEC-1913). There is one side affect of these changes that I’ve not seen anybody talking about so I thought I’d write this post. The consequence I’m refering to is caused by this change, in Mage.php:

Continue Reading →

APPSEC-1281 and Dangerous Symlinks?

June 1, 2017 Uncategorized

With the release of SUPEE-9767 there seems a lot of confusion around APPSEC-1281 and how and/or why symlinks are dangerous or being exploited. I’m going to try and add some clarification (or you know, muddy the waters even more if I’m wrong). What’s the Exploit As far as I’m aware, symlinks in themselves are not

Continue Reading →

My Magento Imagine 2017

April 20, 2017 Uncategorized

Since everyone else in the Magento community seems to be blogging about their experiences at Magento Imagine, I decided I should probably break my dry spell (of posting updates, don’t worry, I haven’t stopped drinking) and do the same. After all, just like the next man, I don’t like missing out on any passing fad.

Continue Reading →

Hijacking the Key(s) to the (Magento) Kingdom

February 12, 2017 Uncategorized

Over the last few years, Magento has gradually increased protection against CSRF attacks. The most common defence against such attacks is to require a form key (a randomly generated string, unique to the session) to be submitted with all actions that perform update/insert commands on the server. In version 1.8.0.0 this protection was implemented for

Continue Reading →

2016 - A Year in Review

January 2, 2017 Uncategorized

After seeing a bunch of ‘year in review’ articles last year. I decided I’d take a crack at it myself this year. Since I don’t blog that much I figured I’d expand it to include some of the other activities I got up to last year.

Magento Poisoning the Cache

December 17, 2016 Magento, Sysadmin

For those of you that don’t know, the Magento routeing system is largely based on classes provided by Zend Framework 1. Whilst browsing through the code I came across something interesting in the method Zend_Controller_Request_Http::setRequestUri. What was interesting to me, was that it prioritises two headers (HTTP_X_ORIGINAL_URL and HTTP_X_REWRITE_URL) over REQUEST_URI. Why is that interesting?

Continue Reading →

Security in Magento 1.9.3.0 vs 1.9.2.4 + SUPEE-8788

October 24, 2016 Magento

With the recent simultaneous release of both Magento 1.9.3.0 and SUPEE-8788, I decided to take some time and review the differences between an upgrade to 1.9.3.0 and patching an existing 1.9.2.4 installation. I did a similar thing when SUPEE-7405 came out alongside 1.9.2.4 and found that the differences were minimal. In this instance, however, the

Continue Reading →

Magento Cache Prefix and Multi-server Configuration

September 24, 2016 Development Process, Magento, Sysadmin

I recently spent some time investigating some strange, seemingly random issues with caches not being cleared when expected. This behaviour could not be replicated locally in my vagrant based development environment. The Magento site in question was running on multiple servers and using Redis as the caching mechanism. Whilst the development environment also used Redis,

Continue Reading →

Magento CSRF vulnerability via Adobe Flex

July 13, 2016 Magento

I recently became aware of a vulnerability that appears to be present in a relatively high percentage of Magento stores, including stores that have applied all security patches released by Magento. The vulnerability is caused by 3 flash files being compiled with a vulnerable version of flex, the underlying issue with flex was assigned the

Continue Reading →

HTTP composer dependencies

February 27, 2016 Development Process

A recent update to composer added a configuration option secure-http, which is defaulted to true. As the name suggest the setting relates to https. More specifically it errors if you attempt to pull in a dependency over the http protocol. Importantly, this error is triggered by both packages AND repositories. If you are pulling all

Continue Reading →

12»
  • Categories

    • Development Process
    • Magento
    • Sysadmin
    • Uncategorized
  • Tags

    .htacces Apache composer facepalm filesystem magento 2 mod_rewrite security
    • Archives

      • December 2017
      • June 2017
      • April 2017
      • February 2017
      • January 2017
      • December 2016
      • October 2016
      • September 2016
      • July 2016
      • February 2016
      • January 2016
      • April 2012
      • February 2012
      • August 2011
    • Categories

      • Development Process
      • Magento
      • Sysadmin
      • Uncategorized
    • “There are two types of people. Those who can extrapolate from incomplete data.”

    • Contact
    • Home
    Copyright © 2012 All Rights Reserved - peterocallaghan.co.uk