Apply patches with composers post-install-cmd

magento2_teaser_patch

I just want to introduce another approach that will apply Magento patches, in case your Magento instance isn’t hosted on Adobe’s Cloud infrastructure or can’t be applied as explained in How to apply a composer patch provided by Adobe for some reason.

1. Update your composer.json file

Add a new section scripts” at the end of your composer.json file and validate your file with composer validate.

If you see ./composer.json is valid you are good to move on. Btw. your composer.lock file doesn’t need to be updated.

2. Create a folder ./patches/

Create a folder ./patches/ or something similar and copy your *.patch file in there.

3. Test it

Run composer install and wait. Your script and patch should be executed after Generating autoload files just like in the below output.

4. Deploy it

Commit your changes ( composer.json and ./patches/ ) folder and run your deployment procedure.

That’s it!

Adobe APSB22-12 – Don’t panic!

magento2_teaser_patch

Adobe has released a critical security patch early this week on https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12– and https://helpx.adobe.com/security/products/magento/apsb22-12.html.

Of course, Adobe Commerce merchants and agencies are nervous and want to apply the security patch as soon as possible. However, I believe as long as your admin passwords are strong enough and you have control about your admin accounts, you shouldn’t be worried too much.

Here is why.

Let’s have a look at the content of the security patch.

The patch will update two files only that are responsible to process template variables such as email variables {{var logo_url}} or {{config path=”general/store_information/name”}} or variables within CMS pages or Static Blocks. The change is trivial and will wipe out unwanted content by using the pattern $pattern = ‘/{{.*?}}/’.

It basically means, in order to be able to exploit this issue, you must:

1. Know the admin url of a store
2. Have access to the Magento backend ( ideally admin privileges )
3. Know how to exploit the issue

So, as long as you maintain admin accounts regularly and know who is actively working in your backend, you should be fine.

However, if you have modules installed that add custom variables by injecting Magento\Email\Model\Template\Filter in combination with 3rd party services, you should probably go and install the patch with your next release.

Update: 2022/02/16

Code could possibly injected by using the customers billing or shipping address ( e.g {{trans “%name,” name=$order.getBillingAddress().getName()}} ) depending on how strong form validation is in the front-end ( My Account > Addresses or Checkout ).

Captcha Test For Your Contact Form

The following PHP script allows you to test your contact form captcha integration in Magento. If you receive any email after executing this script, you have to review your captcha integration.

You may need to add, remove or rename fields in the $field array. Don’t forget to replace {base_url} with your actual URL.

Broken Admin Panel after SUPEE-8788

After the installation of patch SUPEE-8788 in Magento 1.9.0.1 I have experienced a broken product edit form in Catalog > Manage Products > { select any product } > Edit Product. Every time when I tried to edit a product it was logging the following error message.

I have found a community extension in my project which was causing the problem by rewriting the complete class Mage_Catalog_Helper_Image. With diff I was able to identify all changes which I needed to copy from core to the community extension.

I just added the missing constant

and updated the method validateUploadFile().

Protect your AJAX controller action from malicious calls

If you are working with AJAX calls, you should at least verify where the calls are coming from.

Please find the complete code on Gist.

Check Multiple Magento Instances with checkr

This is a quick example how you can check the visibility of specific paths of multiple Magento instances with a shell script called checkr. For example:

  • /var/log/system.log
  • /var/log/exception.log
  • /downloader/
  • /var/
  • /backup/
  • /RELEASE_NOTES.txt

For security reasons, those folders or files should never visible or accessible from outside.

1. URLs

Create a simple list with your clients’ names and its URLs. Save this file as clients.list.

2. Shell Script

3. Run

Run this script with a custom parameter.

4. Results

Find Malware in Image Files

Malware

It’s a nightmare. Your production environment was compromised and you actually don’t know how and how much data was stolen. For sure there are different ways to be compromised. In this post I just want to explain, how hackers can get full access to your production environment by using image files.

As explained on Snapfast and Sucuri it is pretty easy to store any kind of PHP code in EXIF headers. Often times it only needs a simple script to create an administrator account. If you are using third-party extensions with an image upload function or if you are late with the last security update, there is a high risk to be compromised.

You can use commands like svn status or git status to find changes, but this is no guarantee to find malicious code, because oftentimes your /media/ or similar folders are not version controlled.

Here is one simple command how you can find infected image files.

In case if any file is infected, you will see the following search result.