BEST OF THE WEB

Tool for eBay’s Magneto e-commerce platform has vulnerability

E-commerce has been a savior for many organizations — particularly SMBs — because it can allow them to pick a cloud solution and focus on their core competencies.

However, it doesn’t mean that everything is taken care of. Tools and plug-ins can be a source of security weaknesses, as users of WordPress have found out. The latest case in point: This week a vulnerability was revealed in an open source utility called Magmi for eBay’s Magneto e-commerce platform.

Trustwave reported seeing HTTP requests associated with an exploit attempt on the SourceForge version of Magmi, the Magneto Mass Importer database client, used to bring data into the Magneto database.

Magmi can also be downloaded from GitHub, but it’s the SourceForge version that has the problem. You’ll find out why in a moment.

Attackers were apparently testing sites to see if admins hadn’t changed the client’s default security configuration. They were doing it by trying  to access the Linux password file through the HTTP request, which would expose the path to the file.

“Successful exploitation results in access to Magento site credentials and the encryption key for the database,” the security vendor said in a blog.

Magneto has some 240,000 subscribers. It isn’t clear how many use the SourceForge version of Magmi, but Trustwave notes there were 2,800 downloads in September, and 500 the first week of this month.

Why was the SourceForge copy of Magmi the problem? Because it hadn’t been updated in months although the two repositories were supposed be synchronized. The GitHub copy was newer  and didn’t include a crucial file that would give the password file away.

“What’s disturbing is the inconsistency between the two repositories and the popularity of the out-dated, SourceForge repository,” commented Trustwave.

Magento acknowledged the issue and issued a security notification to their partners and users. It also contacted the owners of 1,700 Magneto sites believed to be vulnerable.

There are three lessons here: First, not only do providers that host downloadable software have to make sure they’ve always got the latest versions, so do CISOs. Second, tools and plug-ins are risks. And third, policies have to be in place to ensure default passwords in every system are changed.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web