October 09, 2015

Last night Magento informed users in an email that sites using Nginx and the Magmi data import tool are at risk.
With this news, we’d like to quickly inform Nexcess hosting clients that they are not vulnerable to the exploits mentioned in this email. Here’s a closer look at the two vulnerabilities.

Misconfigured Magento Sites Using Nginx

The first issue is related to misconfigured Magento sites using Nginx. Byte.nl reported this vulnerability, which allows “a malicious person [to] anonymously fetch the internal Magento cache and thus obtain secrets such as the database password. This password gives access to customer and payment data.”
Nexcess Impact: Nexcess managed hosting clients are not impacted by this vulnerability.

Unsecure Magmi Data Import Tool

The second issue is related to an insecure Magmi data import tool. From the Magento Security Registry alert: “It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your production website or limit access to it based on IP address or password.” It should be noted that this is not actually a vulnerability, but an issue of Magmi not being properly secured. Here are the developer’s instructions for securing Magmi.
Nexcess Impact: We globally block access to Magmi on our servers to protect clients who are not aware of the proper security settings. We deployed these changes when the Magmi security concerns were first publicly announced. As such, Nexcess managed hosting clients are not impacted by this exploit.
As a closing note, last night’s email notification came from the Magento Alert Registry, which was created to keep eCommerce retailers up-to-date about potential security problems in the Magento ecosystem. If you haven’t signed up for this yet, you should do so here.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.