Captcha Test For Your Contact Form

The following PHP script allows you to test your contact form captcha integration in Magento. If you receive any email after executing this script, you have to review your captcha integration.

You may need to add, remove or rename fields in the $field array. Don’t forget to replace {base_url} with your actual URL.

Broken Admin Panel after SUPEE-8788

After the installation of patch SUPEE-8788 in Magento 1.9.0.1 I have experienced a broken product edit form in Catalog > Manage Products > { select any product } > Edit Product. Every time when I tried to edit a product it was logging the following error message.

I have found a community extension in my project which was causing the problem by rewriting the complete class Mage_Catalog_Helper_Image. With diff I was able to identify all changes which I needed to copy from core to the community extension.

I just added the missing constant

and updated the method validateUploadFile().

Protect your AJAX controller action from malicious calls

If you are working with AJAX calls, you should at least verify where the calls are coming from.

Please find the complete code on Gist.

Check Multiple Magento Instances with checkr

This is a quick example how you can check the visibility of specific paths of multiple Magento instances with a shell script called checkr. For example:

  • /var/log/system.log
  • /var/log/exception.log
  • /downloader/
  • /var/
  • /backup/
  • /RELEASE_NOTES.txt

For security reasons, those folders or files should never visible or accessible from outside.

1. URLs

Create a simple list with your clients’ names and its URLs. Save this file as clients.list.

2. Shell Script

3. Run

Run this script with a custom parameter.

4. Results

Find Malware in Image Files

Malware

It’s a nightmare. Your production environment was compromised and you actually don’t know how and how much data was stolen. For sure there are different ways to be compromised. In this post I just want to explain, how hackers can get full access to your production environment by using image files.

As explained on Snapfast and Sucuri it is pretty easy to store any kind of PHP code in EXIF headers. Often times it only needs a simple script to create an administrator account. If you are using third-party extensions with an image upload function or if you are late with the last security update, there is a high risk to be compromised.

You can use commands like svn status or git status to find changes, but this is no guarantee to find malicious code, because oftentimes your /media/ or similar folders are not version controlled.

Here is one simple command how you can find infected image files.

In case if any file is infected, you will see the following search result.