Release 2015-05-27: New Magento exploits and the start of workflow capabilities – 10 minute mail

You are now starting to see some of results of the updated backend. The introduction of the first step towards a workflow tool with tags. We did include multiple Magento specific vulnerabilities. Our phpMyAdmin modules also got an update.

Workflow

The plan forward is to make Disposable mail an integrated part of the workflow. It will be possible to flag, export and assign individual findings. The first step is that you are now able to mark individual post at resolved. Work your way down the list of vulnerabilities and improve the security of for web app.

Mark fixed

Magento vulnerabilities

Multiple Magento-specific vulnerabilities were included in this release. Some of the included are:

  • Magento Shoplift SQL Injection
  • Magento SWF “bridgeName” XSS
  • Magento MAGMI XSS & LFI
  • Magento Admin Panel XSS’es

The Shoplift vulnerability allows a remote attacker to gain full control over the target system and impacts almost two hundred thousand Magento e-commerce shops. We’ve added a test to spot vulnerable installations. If you run a Magento e-commerce website run at test with Disposable mail. Visit http://magento.com/security-patch for further information

phpMyAdmin updates

phpMyAdmin is still one of the most common tools for administrating MySQL on the internet, and many people forget to update it. We’ve massively improved our collection of exploits towards older PMA installations. Some of the updates are:

  • phpMyAdmin Remote Code Execution through setup.php
  • phpMyAdmin “ServerSync” Backdoor
  • phpMyAdmin Directory Listing through db_details_importdocsql.php
  • phpMyAdmin Local File Inclusion through export.php
  • phpMyAdmin Local File Inclusion through grab_globals.lib.php

 

Just login and run a new scan to check it out! Also, don’t forget to keep an eye on our Magento security page to stay updated.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Alert] New Magento Vulnerability – Unauthenticated Remote Code Execution – 10 minute mail

Are you running Magento version before 2.0.6.? Time to upgrade!
It was recently discovered that all Magento versions before 2.0.6. (both Community and Enterprise Edition) are vulnerable against an unauthenticated Remote Code Execution. The vulnerability (CVE-2016-4010) could allow an attacker to take over the vulnerable process, consequently even take complete control over the machine, putting your customer data, transaction history and revenues at risk.

[Solution] Upgrade to the 2.0.6 patch as soon as possible

As always, we recommend you to run regular security tests on your website and keep up with all the latest vulnerabilities on our blog.

Stay safe!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests, October 4, 2017: WordPress and Magento vulnerabilities – 10 minute mail

This week’s update brings more WordPress plugin vulnerabilities that Disposable mail now checks for as well as two Magento security tests. 

We have added:

  • WordPress Authenticated (2.9.2 – 4.8.1) Open Redirect
  • WordPress gallery-album Authenticated SQL Injection
  • WordPress theme-my-login Authentication Bypass
  • WordPress simple-membership Authenticated XSS
  • WordPress my-wp-translate Authenticated XSS
  • WordPress duplicate-page Authenticated XSS
  • WordPress my-tickets Authenticated XSS
  • WordPress wp-members Authenticated XSS
  • WordPress megamenu Authenticated XSS
  • WordPress caldera-forms Flash XSS
  • WordPress use-any-font CSRF
  • Magento SUPEE-6285 (APPSEC-996) Orders Disclosure
  • Magento SUPEE-5994 (APPSEC-977) Admin Path Disclosure

Log in and run a scan to test your site for these vulnerabilities.

Happy scanning!

The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Magento security 101: How to secure your Magento site – 10 minute mail

Due to its popularity as an e-commerce platform, Magento is an attractive target for hacker attacks, but basic security precautions can go a long way. We know that getting started with security can feel a little daunting, so we have put together this short guide to help you out. Follow our Magento security 101 and improve your Magento site’s security!

1. Use the latest version

Make sure that you are using the latest version of Magento as software updates often include security patches. If you are using Open Source (formerly known as Community Edition), the latest version as of October 2017 is 2.2. If you are running an older version, we strongly recommend you to upgrade and check Magento’s technical resources page for the latest release information.

2. Use a strong password

This may sound like a no-brainer, but it’s still worth mentioning because weak passwords are more popular than one might think. Seriously, take a look at the Worst passwords of 2016 (a list based on 5 million leaked passwords) and prepare to be amazed.

Once you’ve got your strong password in place, don’t change it too often. Contrary to popular belief, changing your password regularly can do more harm than good as you are more likely to choose a weak password that’s easy to remember. To generate strong passwords without having to worry about forgetting them, consider using a password manager.

3. Add two-factor authentication

Strong passwords are great, but there’s always an extra layer of security to add to the mix. A simple yet powerful measure is to add a two-step authentication to your login. To do this, you can buy an extension on Magento Marketplace.

4. Manage your admin panel

Change the Admin Directory to something unique (do not use /index.php/admin/), add an SSL certificate and make sure to restrict access to the admin panel to your IPs. This is a simple step that is often overlooked – our research showed that over 23.17% of all Magento sites use the default admin directory.

When the admin panel is exposed it gives the attacker the opportunity to bruteforce the login. The attacker can test common passwords, which has a high chance of succeeding as many people reuse their passwords. Exposing the admin panel also widens the attack surface and gives attackers one more page to check for vulnerabilities. To find out more about how attackers approach Magento sites, check out our video seminar where our security researchers explain how hackers think.

Not sure if your admin panel is secure? If you run a Disposable mail security check on your Magento website, the scanner will notify you when an exposed or disclosed Magento Admin panel is found.

Magento admin panel disclosure

Run a Disposable mail scan to check for Magento Admin Panel Disclosure

5. Stay up to date with the latest vulnerabilities

What is considered secure today could easily become vulnerable tomorrow, which is why reading up on the latest security research can help you keep your site secure. Magento’s Security Center is a good place to start – the center offers patch information as well as a number of security best practices for Magento users. However, when it comes to security, it’s always a good idea to have more than one source of information and that’s where automated tools come into play.

If you find security research a little overwhelming (don’t worry, we’ve all been there), automated security scanning tools like Disposable mail can help you out. Disposable mail’s researchers add new security tests to the scanner on a regular basis, ensuring that you can always check your site for the latest vulnerabilities.

Magento downloader vulnerability finding

Security never stands still. To help you stay one step ahead of hackers, we are always adding new security test modules to our scanner.

6. Monitor your Magento site’s security

Working with security is a long-term commitment, which is why we recommend testing your e-commerce store for vulnerabilities on a regular basis. Disposable mail tests your site for over 700 vulnerabilities (including security issues specific to Magento) and gives you a clear overview of its security status.

Disposable mail Magento findings

Your Disposable mail threat score is a handy summary of your site’s security status

The informative scan reports list all the security issues discovered as well as their severity level and tips on how to fix them. Disposable mail does not only look for Magento-specific security issues, but also checks your company blog, email settings, and much more. You can schedule regular scans, which means Disposable mail will keep an eye on your site’s security while you focus on your customers.

Disposable mail report Magento findings

Check your Disposable mail report for the exact location of vulnerabilities

Ready to get on top of your site’s security? Sign up for our 14-day free trial (no credit card required) and check your Magento store for vulnerabilities!

Start your free trial

More Magento security reading

Is your Magento store vulnerable? Why it’s time to put security first

Thousands of vulnerable Magento web stores out there

GDPR Compliance Checklist for eCommerce by our friends at Divante

[VIDEO SEMINAR] Magento security from a hacker’s perspective

Magento 2 Security Guide – An Actionable Checklist for 2019

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[VIDEO SEMINAR] Magento security from a hacker’s perspective – 10 minute mail

Have you ever wondered how a hacker would analyze and attack a Magento website? We picked the brains of two ethical hackers to find out. Linus Särud, 18, and Fredrik Almroth, 27, share their best insights and advice on Magento security to help you keep your Magento store safe from hackers.

What you will learn in 15 minutes:

  • How Fredrik Almroth hacked one of the world’s largest e-commerce sites.
  • What any Magento website owner should know about security to be able to keep up with black-hat hackers.
  • A step by step-explanation on how a hacker would analyze an e-commerce page.
  • What the most common Magento security issues are based on our exclusive security data research on 30000 Magento sites.
  • What to do if you are hacked.

Get the free video seminar
Sign up through this form, and we will send you the video immediately per email, so that you can watch it whenever you want. We require double opt-in. Remember to check your spam filter if you don’t receive the confirmation email. And of course, the video seminar is for free!

magento-seminar-featured-image_720

About the hackers 
Fredrik Nordberg Almroth (Twitter: @almroot), 26, is internally known as “Godfather of Hacking”, since he has basically hacked everything that can be legally hacked. Fredrik has been appointed Security Expert of the Future by Symantec, and was one of the persons behind the famous read access on Google production servers hack, which earned him a bounty of 10,000 USD.

Linus Särud (Twitter: @_zulln), 18, started his career in IT security at the young age of 13. He has found serious security security flaws in Google’s system, written about IT security for IDG Sweden, and now works as a Security Researcher at Disposable mail in addition to going to high school. At Disposable mail, he is responsible for extensive security investigations like how top domains were vulnerable to email spoofing, writing articles and guiding customers in the support.

Send me the free 15-minute Magento security seminar

Sign up


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 4 April – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

Magento Unauthenticated SQL Injection

The recent Magento vulnerability that made a lot of news was submitted together with a proper proof of concept. That means that we are able to actually test for the vulnerability, instead of just looking at the installed version of Magento. This minimizes false positives and creates a much more accurate report.

WordPress wp-google-maps SQL Injection

Reported to us as a 0day at the same time as they noticed the developers of the plugin. The plugin vendor acted quickly and the patch for the plugin was released two days ago as can be seen in the changelog. 

Google Maps Unrestricted API Key Exposure

Google Maps provide an API for site owners that want to embed a map on their website. The API-key can be configured in several different ways, and if a specific domain is not specified when setting it up it would be possible for other websites to embed a map using your API-key. This is a paying API, meaning it could drastically increase your bill to Google, or prevent it from functioning on your own site.

Git Daemon Exposure

Not only does it happen that people accidentally expose configuration files that have to do with Git, some people also accidentally expose a Git Daemon itself. When this happens it could be possible for an attacker to connect to it and download the source code of a git project.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Log in to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.