Last night Magento informed users in an email that sites using Nginx and the Magmi data import tool are at risk.
With this news, we’d like to quickly inform Nexcess hosting clients that they are not vulnerable to the exploits mentioned in this email. Here’s a closer look at the two vulnerabilities.
Misconfigured Magento Sites Using Nginx
The first issue is related to misconfigured Magento sites using Nginx. Byte.nl reported this vulnerability, which allows “a malicious person [to] anonymously fetch the internal Magento cache and thus obtain secrets such as the database password. This password gives access to customer and payment data.”
Nexcess Impact: Nexcess managed hosting clients are not impacted by this vulnerability.
Unsecure Magmi Data Import Tool
The second issue is related to an insecure Magmi data import tool. From the Magento Security Registry alert: “It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your production website or limit access to it based on IP address or password.” It should be noted that this is not actually a vulnerability, but an issue of Magmi not being properly secured. Here are the developer’s instructions for securing Magmi.
Nexcess Impact: We globally block access to Magmi on our servers to protect clients who are not aware of the proper security settings. We deployed these changes when the Magmi security concerns were first publicly announced. As such, Nexcess managed hosting clients are not impacted by this exploit.
As a closing note, last night’s email notification came from the Magento Alert Registry, which was created to keep eCommerce retailers up-to-date about potential security problems in the Magento ecosystem. If you haven’t signed up for this yet, you should do so here.