In Hosting Guides, Nublue Blog Magento security patch update: ‘Shoplift’ and you Posted by Ewan THE SHOPLIFT BUG There’s been lots of talk recently about several Magento vulnerabilities, particularly the “Shoplift” bug which allows attackers to gain control of an online store and obtain sensitive data. A patch for this issue was released in February this year, following a patch for a similar but less urgent issue last October. OUR PATCHES We’re a specialist Magento host, and we host a lot of Magento sites – old and new, testing sites and live ones, on server packages ranging from Shared and VPS to Dedicated hosting. In light of the vulnerabilities discovered in Magento, the possibility that thousands of unpatched sites were actively being scanned for exploits was worrying enough for us to take the unprecedented step of patching all the Magento sites we could detect on our hosting. In February we patched all of our hosted Magento sites we could detect with the relevant patch, SUPEE-5344, and again in April (along with the less critical SUPEE-1533 patch for the earlier issue.) At the same time we contacted anyone whose sites we couldn’t patch as part of this process. However, the fight against Magento’s ‘Shoplift’ bug isn’t over. It’s the responsibility of each site administrator (not the hosting company!) to keep their site secure and up to date. With this in mind, there are a number of actions that we need all our hosted Magento clients to carry out as soon as possible to ensure that they’re free from the possibility of exploitation from this serious vulnerability. Even if you run a Magento website not hosted by Nublue, we can’t stress enough how important it is to make sure you’re patched and up to date. Taking vital steps to harden your website against these recent Magento vulnerabilities is, in our opinion, essential to the security of your site and that of your customers. SHOULD THIS VULNERABILITY CONCERN ME? If you have a Magento website – yes! It should be keeping you awake at night! On a (slightly) more serious note, every Magento website you run should be patched. You should check them yourself and make doubly sure that they’re patched to protect against this threat. This really is a very serious vulnerability, and Magento users absolutely should not leave this to chance! CHECK THAT YOU’RE PATCHED If you’re unsure how to go about checking that you’re patched against Shoplift, there’s a very simple check on Magento’s site that will help you make sure – click here to find it. Just enter your site URL and admin location into the checker at the top of the page, and you’ll be able to see whether you’re vulnerable to the Shoplift threat. HOW YOU MAY HAVE UN-PATCHED YOURSELF There’s a possibility that you could have broken the Magento patch since we (or you) applied it to your site, so this is well worth a double check. Magento version 184.108.40.206, containing the SUPEE-5344 patch, was released on 1 May. If you’ve updated your Magento since we patched you, but prior to this Magento version release, (so if you’re running Magento 220.127.116.11 or earlier) then the update did not contain the patch and so you will be vulnerable again. In this case you should apply the patch manually, or update your Magento to version 18.104.22.168. If you’re using compilation, you’ll need to disable and then recompile your site in order for the patch to be effective. And, of course, if you’ve restored a copy of the site prior to the patches – or if you’ve been amending your core code – then you may not be patched. If there’s any possibility that you haven’t been patched, please head to the Magento download page, obtain the patch and then apply it as a matter of urgency. If you prefer, you can contact our Support team who can apply it for you. VERY IMPORTANT THINGS TO DO NEXT Once you’re sure that your site(s) have been patched, there are some additional steps that we’d like all our Magento hosted clients to take to further protect themselves against this issue: 1. CRITICAL – MOVE YOUR ADMIN LOCATION Scans for vulnerable sites are looking for the default Magento admin location – /admin. Moving your admin area to a separate location is a very simple task and will immediately hide you from many of the scans we are seeing for vulnerable sites. To do this, simply edit your local.xml file, contained in the app/etc/ folder within your site’s web root: <![CDATA[admin]]> 1 <![CDATA[admin]]> Update the ‘admin’ value to something else and save the file, i.e.: <![CDATA[thank_you_nublue]]> 1 <![CDATA[thank_you_nublue]]> You should then clear your store’s cache to allow this to take effect. You can do this in multiple ways – by emptying the contents of the var/cache folder via FTP, or renaming the cache folder via SSH. 2. CRITICAL – MOVE YOUR DOWNLOADER FOLDER Scans are also being carried out for Magento Connect. For this reason, you should rename the downloader folder within your root Magento directory. Please note that you’ll have to change the folder name back to ‘Downloader’ to use Magento Connect in the future. Also be aware that if you update Magento then it’s going to recreate the Downloader folder, so you’ll need to check for this when you update and action it appropriately. 3. IMPORTANT – CREATE DUMMY FOLDERS Following the steps above, if anyone now scans for http://[yoursite].co.uk/admin or http://[yoursite].co.uk/downloader then they are going to get a Magento 404 page. This is fine, but they are going to use up your precious resources loading that 404 page. Don’t give them anything! If you create blank Admin and Downloader folders after moving their locations as above, then vulnerability scans are not going to find anything – but they’re also not going to load your 404 page, so you’re saving yourself a bit of hassle here too. 4. IMPORTANT – MONITOR ADMIN USERS You should know exactly what admin users you have within your Magento store, and check them regularly. If any user arrives that you don’t recognise, remove them – and consider checking your store for strange behaviour! SUMMARY After following all of the steps above you should be protected against the Shoplift bug, and you’ve taken steps to harden your site against attempts to exploit it further. The above steps are very easy to perform, and we absolutely advise every Magento user to take them. (We can take these security measures for our clients if they request us to, but please note that this will be chargeable.) We’ll be following up this article with update emails to all our clients, along with a future article to show you how to further protect yourself by restricting access to your admin and downloader locations – so that only you and authorised users can actually reach these pages. As ever, if you have any questions or queries regarding the above then please contact our Support team and we’ll be happy to help. Nublue is a web hosting and development company dedicated to online security and keeping its hosted clients protected. To find out more about what we do, get in touch by email or call 0800 033 7074.