Contact
Site: US UK AU |
Nexcess Blog

Posts by: Magento

Magento guruincsite Security Issue

October 20, 2015 0 Comments RSS Feed

There is a possible new Magento security issue that has been impacting a number of Magento based sites. The sites in question are being blacklisted by Google as a result of malicious code that is being injected into the Magento database and ends up being displayed and executed by visitors in the footer of the infected site.

This exploit is known as the “guruincsite[.]com“ exploit due to the domain in which the injected code was being posed to. Read more

Posted in: Magento

Magento Security Vulnerabilities Announced

October 9, 2015 0 Comments RSS Feed

Last night Magento informed users in an email that sites using Nginx and the Magmi data import tool are at risk.

With this news, we’d like to quickly inform Nexcess hosting clients that they are not vulnerable to the exploits mentioned in this email. Here’s a closer look at the two vulnerabilities. Read more

Posted in: Magento

Meet Magento Brazil 2015 Recap

StoryformOn October 5, Nexcess assisted and sponsored Meet Magento Brazil, one of the largest Magento events in South America. Our Sales and Community Development Teams connected with local merchants and developers eager to learn about our trajectory into the Brazilian market.

Carlos Hix, Director of GHX Consulting, opened the day by speaking on the current state of Brazilian eCommerce and highlighted how the community could contribute to its continuing expansion and success.

Read more

Posted in: Magento, Nexcess

Meet Magento New York 2015 Recap

October 6, 2015 0 Comments RSS Feed

Meet Magento New YorkWe were delighted to attend the 2nd annual Meet Magento New York, produced by our good friends (and partners) Interactiv4. This two day event is always a great place to meet partners, merchants and developers – so we’re always excited to sponsor and attend! I also greatly enjoyed working closely with our sales team and learning how they answer questions and concerns from current and prospective clients and partners. As always, we are grateful for their expertise. It’s always great for a developer to get out from behind the screen, actually interact with users, and get feedback!

It will surprise no one that Magento 2 was a huge focus at the conference, so we made sure we brought shirts to match (among other swag). Among the highlights for me was Joshua Warren’s Magento 2 Workshop, which was a great look at the design and architecture of Magento 2 – something we’re all going to become extremely familiar with in the coming months.

Read more

Posted in: Magento, Nexcess

Magento 2 is Available Right Now

September 10, 2015 1 Comment RSS Feed

Magento 2Magento 2 is Available Right Now!

Basically!

The Magento 2 Merchant Beta has been released and that means that it’s testing time!

In spirit of the next generation of Magento being upon us, Nexcess has launched a public demo of the new Magento 2 Merchant Beta, which you can now play with online right here. Keep in mind that this is a beta release, meaning that they haven’t necessarily worked out all the kinks.

Read more

Posted in: Magento, Nexcess

Meet Magento Vietnam 2015 recap

August 28, 2015 0 Comments RSS Feed

Meet Magento 2016 - Hanoi Vietnam
Photo: Meet Magento 2016 – Hanoi Vietnam

On August 22, 2015, Nexcess participated and sponsored Meet Magento Vietnam in Hanoi. We were honored to participate in Asia’s first-ever Meet Magento event. Meet Magento Vietnam (MM15VN) played host to more than 500 community partners, local merchants, and solution partners from across the Asia-Pacific.

The day-long conference brought together expert Magento developers and entrepreneurs to discuss hot-button topics like security, community, and the challenges of open source development. This was the first visit to Vietnam for either of us, and we were ecstatic to see the tremendous growth and success enjoyed by Magento merchants and community partners. We also had the opportunity to meet dozens of local developers responsible for numerous contributions to the global Magento community. Read more

Posted in: Magento, Nexcess

Tags:

Here’s Why Your Magento Store Needs Two-Factor Authentication

August 11, 2015 0 Comments RSS Feed

Two-Factor AuthenticationPasswords alone are not a good authentication mechanism. Too many things can go wrong with passwords for eCommerce retailers to entirely trust them. Users often choose weak passwords or accidentally allow them to fall into the hands of malicious individuals. Particularly in the eCommerce world, where sensitive data, money, and a business’s reputation are on the line, something more than the humble password is needed.

Two-factor authentication is the best way to supplement password logins to make them secure. The more factors of identification a user can present to an authentication system, the higher the chance that they are who they claim to be. When you apply for a bank account, the bank will ask you for several forms of identification: maybe your passport, driver’s license, and a utility bill with your address on it. It would be quite easy for a third-party to get hold of any one of those, but it’s unlikely they can get all three.

Read more

Posted in: Magento, Security

Magento Security Advisory and Patch (SUPEE-6482)

August 10, 2015 0 Comments RSS Feed

Magento has just released patch SUPEE-6482, which addresses four different vulnerabilities affecting Magento Community and Enterprise editions. We strongly advise all Magento store administrators to update to the latest version to address these vulnerabilities (1.9.2.1 for Community or 1.14.2.1 for Enterprise). Those that do not want to update to the most current version of Magento must manually apply the SUPEE-6482 patch to fix these same vulnerabilities.

The first two vulnerabilities involve issues with input validation in the Magento API. In one of these, an attacker could remotely include arbitrary PHP code in an API request. This type of attack only works when used against specific server and PHP configurations and while logged in with valid API credentials. However, this still presents a risk in cases where a compromised API account has only limited access because attackers may exploit it to escalate their privileges. The other API vulnerability allows an attacker to probe internal network resources using a malformed API password.

The next two vulnerabilities addressed by SUPEE-6482 affect only Magento Enterprise users, but are much more severe. The worst of these involves cache poisoning, where attackers use unvalidated host headers to modify pages in a Magento store, though this will only work on specific server configurations. Finally, the patch addresses a cross-site-scripting vulnerability in the Magento’s gift registry search. This vulnerability allows attackers to steal cookies or impersonate Magento users, presumably by tricking those users into following a malicious link.

For more information about how to apply the patches to your Magento store, refer to the instructions on the Magento website.

For additional details about the SUPEE-6482 patch, refer to the Magento release notes.

Posted in: Magento, Security

Magento Introduces Security Alert Registry

August 4, 2015 1 Comment RSS Feed

Security Alert RegistryIn the wake of a number of serious vulnerabilities — including the critical ShopLift vulnerability — Magento announced in May that it would be introducing the Magento Alert Registry to keep eCommerce retailers up-to-date about potential security problems. You can now sign up here.

“We are committed to platform security and are taking proactive steps intended to ensure this. In the coming weeks, we will be establishing the Magento Alert Registry to serve as a direct line of communications in future urgent situations, separate from any marketing communications. By being able to connect with both our Community and Enterprise Edition merchants directly via your preferred method – email, text or social – we will be able to more quickly inform you of steps to resolution.”

Read more

Posted in: Magento, Security

New Magento Community Edition Security Patch Released — Immediate Patching Is Advised

July 14, 2015 3 Comments RSS Feed

Magento has made available a new patch bundle that addresses several serious security vulnerabilities. Magento CE & EE users should update immediately to ensure that their eCommerce store and its users are not put at risk.

Among the vulnerabilities addressed are the potential leaking of customer information and cross-site scripting vulnerabilities.

The patch bundle — which is part of the recently released Magento Community Edition 1.9.2 — has been given the code SUPEE-6285, and is available from Magento’s site. Before applying the SUPEE-6285 patch bundle, you must also have applied SUPEE-5994, which is available at the above link.

Read more

Posted in: Magento, Security