All posts by Tom P

Magento 2.2.3, 2.1.12 and 2.0.18 Security Update

Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.182.1.122.2.3 and Magento Open Source 2.0.182.1.122.2.3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.3.

Please refer to Security Best Practices for additional information how to secure your site.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:
https://magento.com/security/patches/magento-223-2112-and-2018-security-update

Magento Security Patch Update: SUPEE-10570

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), and other issues. These releases also include small functional fixes listed in the release notes.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10570

 

Magento Security Patch 10415 Reminder

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10415

11 Updates:

APPSEC-1330: Unsanitized input leading to denial of service
APPSEC-1885: Stored XSS in Product Descriptions
APPSEC-1892: Stored XSS in Visual Merchandiser
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
APPSEC-1913: Remote Code Execution through Config Manipulation
APPSEC-1914: Stored XSS in CMS Page Area
APPSEC-1915: Remote Code Execution in CMS Page Area
APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

Magento Security Announcement Reminder

Magento has released a new patch that covers critical vulnerabilities.

Magento Commerce and Open Source 2.2.1, 2.1.10 and 2.0.17 contain multiple security enhancements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/magento-221-2110-and-2017-security-update

10 Updates:

APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
APPSEC-1910: Local File Inclusion (LFI) in Import History
APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion

Comcast Outage, November 6th, 2017

At 12:04 pm CST (GMT -6), one of the major ISPs in the USA, Comcast, experienced “an external network issue” that caused a portion of the Internet to become inaccessible to users.  Comcast has such a wide reach that both individuals and businesses were impacted.  To those affected, it seemed that some websites went off-the-air and simply did not respond.

Comcast announced that issues were resolved at 4:34 pm CST.

Check http://downdetector.com/status/comcast-xfinity/map/ for comments from those impacted.

Magento Sites – A Must-Do List To Prepare For Black Friday

How much revenue will you lose this holiday season if your Magento site goes down because of too much visitor traffic?  Prevent this by following our Magento Hosting Checklist.

 

“75 percent of all smartphone and tablet users said they would abandon a retailer’s mobile site or app if it was buggy, slow or prone to crashes.”

CNBC Poll

Black Friday is coming fast.  With many shoppers streaming to your store, more than just your products and pricing will be evaluated. Customers are unwittingly also making decisions based on how quickly your site responds. If your server is slow or crashing due to an unusually high number of customers visiting your website, they are likely to abandon their cart. Don’t let your hard earned marketing dollars go to waste. Follow these simple steps to ensure that the busiest time of the year is also going to be your most profitable and least frustrating.

Magento Hosting Checklist – Preparing Your Site for Black Friday

  1. Test your site
  2. Estimate traffic
  3. Increase capacity of your web servers and database
  4. Block malicious bot abuse
  5. Add Magento booster servers to handle traffic spikes
  6.  Contact Us If you need a turn-key solution

Test Your Site

With heavy spikes in traffic around the holiday season, your site can become slow with an increase in page loading times. The speed of your site can affect your bottom line. Run a load test on your site to determine the relationship between page load times and visitors.  Be careful not to disrupt your business during high volume hours if you are testing the production site – this can cause the site to become slow or even go down. Ideally, run the load test on your staging server.  There are various tools out there that you can use for load testing.  Let’s look at an example below that was benchmarked with Load Impact.

Notice the yellow arrow in the simulation below?  This test revealed that the page load times started to increase with about 400 users.  Now, look at the red arrow.  Page load times shot up to almost 20 seconds with approx. 480 simulated visitors.

If your marketing efforts lead to an increase in traffic (more than 400 users in this example), then you need to consider adding an extra booster server so you don’t lose out on any conversions. Let our Magento experts run a load test for you.  Send us an email:  magento@eboundhost.com

Estimate Traffic

How much of a traffic spike you can expect this year through your marketing efforts?  Do you plan on doubling, tripling or quadrupling your holiday traffic? Use Google Analytics to obtain your historic web visitor traffic data.

Gather Google Analytics web visitor data

A.  Within Google Analytics, navigate to AUDIENCE > OVERVIEW
B.  Set your date range to:  10/01/2016 – 10/01/2017
C.  Make a note of your highest “Daily Session” value

Example:  The highest daily session value in this screenshot is 1,000.


D. Calculate your “concurrent user” value
Users = Hourly Sessions x Average Session Duration (in seconds) / 3,600

Example: 500 x 60 / 3,600 = Approx. 8

 

Increase Capacity On Your Web Servers and Database

Increase your capacity by adding the appropriate caching technologies. There are several tools such as Varnish, Redis and CloudFlare that can help. One example of a popular front-end caching technology that will speed up your site is Varnish.  There are tutorials and guides available to help you with this.

http://devdocs.magento.com/guides/v2.0/config-guide/varnish/config-varnish-magento.html

Need assistance? Our Magento Success Team is available at  888-554-9990.

Block Malicious Bot Abuse

Block malicious bots/competitors and reduce more load by using a content delivery network.  Cloudflare’s expansive network identifies and blocks bots across 6 million properties with their predictive security feature. Their distribution network is powered by 118 data centers around the world.  You can get a free account by using this link:  https://www.cloudflare.com/plans/

We are proud to partner with CloudFlare.  All of our holiday booster servers include the service and setup of CloudFlare Pro.

 

Add Magento Booster Servers To Handle Traffic Spikes

Add Magento booster servers to handle your traffic spikes and stabilize your site during the holiday season.  Let’s look at an example of what the JetRails® Magento booster servers can do to prepare your site for the busy season.

In this example, we are working off an environment that consists of 2 servers (one web server and one database server).  The addition of 3 Magento JetRails® Booster Servers tripled the visitor capacity during peak times.

 

Contact Us

Make sure your web visitors don’t go to your competitors.  Our Magento Success Team is available to test your site and help you prepare for the holidays.  Load balanced Booster Servers are $500 each and can be set up by our engineers within days.  Contact us or call us at 888-554-9990 to get started now.

 

 

 

 

Meet Us At Shop.org – Researching The Newest Magento eCommerce Tactics

 

 

Shop.org is the annual e-commerce conference for digital retail thinkers and doers!  In an era where constant evolution is required to stay ahead of consumers, this event is bringing some of the most fascinating people, brands and thought-leaders to share stories of reinvention, transformation and steal-worthy ideas for making an impact in the e-commerce world today.

View the agenda:  https://shop.org/agenda

If you are going to be there or if you would like us to research any Magento related topics, let us know by filling out our contact form:

https://eboundhost.com/magento/contact-us.php

Our primary objectives at Shop.org are getting new insights on:

  • Better search engine ranking due to faster infrastructure and rapid content delivery
  • Higher conversion rates due to reduced friction and faster response times
  • Reduction of operational burdens
  • E-commerce focused best practices for operations
  • Best-of-breed technological integration

Additional topics that will be covered for our customers:

  • Omnichannel profitability
  • Personalizing Amazon
  • The best alternative to Amazon
  • “I have to double my business this year, how do I do it?”
  • Sourcing new customers with artificial intelligence
  • Real-time analytics for Magento
  • Improving Magento speed
  • Online journey hijacking: The problem, the scale, and the solution

Let us know what your challenges are.  We’re here to help.

Magento Security Announcement Reminder: SUPEE 10266

Magento has released a new patch that covers critical vulnerabilities.

SUPEE-10266, Magento Commerce (Enterprise) 1.14.3.6 and Open Source (Community) 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

 

13 Updates:

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

CloudFlare Phishing attempt discovered September 7th, 2017

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

On Thursday, September 7th a group of scammers sent emails phishing for CloudFlare credentials. The email appears to come from “Cloudflare Abuse Department”, but you will see that the email did not actually come from Cloudflare.  It came from a freshdesk email account which is not associated with Cloudflare.

 

The email also contains a link to lead the recipient to review the complaint and takes them to https://cloudflarecompliancedept.site/support/.

The site looks like the Official Cloudflare login page and even has an SSL certificate that appears to be valid.  Upon investigation, the SSL certificate is a free certificate that can be obtained easily.

You can even find the fake freshdesk login page by visiting https://cloudflareabuse.freshdesk.com/support/home

This phishing attempt was very well thought out, all the way down to the smallest detail.  To the average person opening their emails, it would be very difficult to identify this as  malicious.

What you can do

While the malicious email looked completely legit, there was one key giveaway: The mail was sent from a domain that is not associated with Cloudflare.

If you received an email from support@cloudflareabuse.freshdesk.com, report it as phishing by notifying your email provider. Then delete it.

If you do click on the malicious link, do not attempt to log into the account.

If, unfortunately, you fell for the scam and granted permission to the hackers,  get in touch with CloudFlare directly.  While you’re at it, it’s a good idea to change your passwords.

Here is the official Cloudflare link to visit if you encounter the scam:
https://support.cloudflare.com/hc/en-us/articles/200167736-How-do-I-file-a-phishing-complaint-

Rest assured that the eBoundHost JetRails eCommerce Team is actively working with Cloudflare on this discovery.  As of 12:54 PM CST, it appears that the malicious domain was taken down.  That does not mean the original attacker is not still active.  Please take caution with any emails and access points and reach out to the JetRails team with any questions or concerns:  888-554-9990 or support@eboundhost.com

 

Magento Security Announcement Reminder: SUPEE 9767

Magento has released a new patch that covers critical vulnerabilities.
Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.  Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

Today, Magento is releasing new updates to increase product security and functionality. The releases contain over 15 security enhancements and Magento 2.x updates that also address image resizing and MasterCard BIN number expansion. We strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.

 

These releases include:

 

 

  • Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN). While certain Magento versions already support the new BINs, merchants using the following versions must upgrade or apply a patch by June 30, 2017 or face potential fines from MasterCard and lost sales:
    • Enterprise and Community Edition 2.1.2 or earlier
    • All Enterprise and Community Edition 2.0.x releases
    • Enterprise Edition 1.14.2.x or earlier releases
    • Community Edition 1.9.2.x or earlier releases

 

More information is available at MasterCard BIN Range Update.

 

  • Reversion of the changes to image resizing that we introduced in Magento 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update. See the Magento 2.1.7 Enterprise Edition Release Notes for additional information you may need to take when upgrading from Magento 2.1.6 or 2.1.5 to this release.

 

Download and install the Enterprise Edition updates by logging into My Account and navigating to the version you want to download. Community Edition software is available in the Release Archive of the Community Edition download page.

 

(See How to get the Magento software for a discussion of Magento 2.x installation procedures, and How to Apply and Revert Magento Patches for Magento 1.x instructions.)

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

 

Meet us at Imagine Magento eCommerce Conference in Las Vegas

The eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 3rd – 5th).  Now in its 7th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2017 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

eBoundHost clients not affected by Cloudbleed

What is Cloudbleed?

Cloudbleed (also known as CloudLeak and CloudFlare Bug) is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from one Cloudflare customer were leaked out and went to any other CloudFlare customers that happened to be in the server’s memory on that particular moment. Some of this data was cached by search engines.

Are eBoundHost customers affected by Cloudbleed?

We have confirmed that none of our clients are affected by CloudBleed.  You can read Cloudflare’s official description of Cloudbleed here.

 

Magento Security Announcement Reminder: SUPEE-9652

Magento has released a new patch that covers critical vulnerabilities.
Magento has released a new patch, SUPEE-9652, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.


ANNOUNCEMENT FROM MAGENTO:

SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.

Information on all the changes in 1.14.3.2 and 1.9.3.2 releases is available in the ENTERPRISE EDITION and COMMUNITY EDITION RELEASE NOTES.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.3.2 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.2
SUPEE-9652 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2017

Enterprise Edition Merchants:

Enterprise Edition 1.14.3.2 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3.2
SUPEE-9652 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – Februrary 2017

Community Edition Merchants:

Community Edition 1.9.3.2 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab
SUPEE-9652 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab > Magento Community Edition Patches – 1.x Section

 

APPSEC-1746 – Remote Code Execution using mail vulnerability
Type: Remote code execution (RCE)
CVSSv3 Severity: 9.8 (Critical)
Known Attacks: None
Description: Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

– use sendmail as the mail transport agent

– have specific, non-default configuration settings as described HERE.

Product(s) Affected: Magento Community Edition prior to 1.9.3.2, and Magento Enterprise Edition prior to 1.14.3.2, Magento 2.1 versions prior to 2.1.4 and Magento 2.0 versions prior to 2.0.12
Fixed In: Community Edition 1.9.3.2, Enterprise Edition 1.14.3.2, SUPEE-9652, Magento 2.1.4, Magento 2.0.12
Reporter: natmchugh

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

5 Tips to Increase Conversions with Site Search – Nextopia Guest Post

In 2017, it’s expected that online shopping revenue will surpass $1.5 trillion in worldwide sales, making the eCommerce industry one of the most valuable and profitable industries. Significant advancements in mobile and social shopping have altered the way we shop, and now it’s possible for consumers to shop instantaneously from their favorite designers from virtually anywhere all thanks to a few quick taps on their smartphones.

However, despite this projected growth, many retailers still fail at providing their customers with an exceptional online shopping experience, which can result in significantly low conversion rates.

To ensure all retailers are making the most of their on-site search and providing their customers with an exceptional shopping experience, we’ve put together five powerful tips that are proven to increase conversion rates and turn more browsers into buyers.

Have all Eyes on Your Search Box

The search box is an often overlooked yet powerful feature of an eCommerce store. The site search box is the pathway to improved sales, better user experience, and most importantly, higher conversion rates. If a shopper struggles to locate the search box, chances are they’ll abandon ship and head to a competitor’s site to complete their purchase, so having an easy to locate search box is key.

Here are two ways to improve conversions with your search box:

  1. Bold Placement

The first step to having a high-performing search box is to place it in a noticeable and convenient location where site visitors can locate it as soon as they arrive at your site.  The best spot is typically in the header of a web page, where it can be free from clutter and any distractions.

  1. Clean Design
    A search box with a clean design and clear instructions will entice users to perform a search. Take the time to ensure that all search fields (input field and ‘submit’ button) are clearly differentiated and easy to locate. Retailers should also include a recognizable search icon (a magnifying glass tends to work best) to help entice visitors to follow through with their search.

 


Include Autocomplete
Site search enhancement tools like autocomplete are a great addition to an eCommerce site because it helps direct customer to their desired product quickly and seamlessly. Autocomplete shows fast, accurate, and intelligent search results as soon as the customer begins typing – even
if a spelling mistake has been made – and is proven to increase conversions and sales for online retailers.

 


Optimize the ‘No Results Found’ Page

When a customer searches for an item that either isn’t in stock or that you don’t carry, rather than directing them to the dreaded ‘no results found’ page send them to an optimized landing page that will prevent them from abandoning the site and potentially lead to a sale.

You can prevent this from happening by providing similar product recommendations that they might find interesting and relevant or links back to the homepage, category pages, or the contact us page. This will help prevent visitors from leaving to go search on a competitor’s site and in turn, potentially lead to an increase in conversions.

Feature Product Images in Search Bar Results
To further improve your online site search, it’s important to include product images in the search results so site visitors can see products that are available without having to search through the product pages. Make sure that your product photos are clear in thumbnail form, and are flattering to your product. The chances of a customer buying increases when images are displayed along with a product description. Showing product images along with suggested search terms in your autocomplete will further help turn browsers into buyers.

 

Luxury Shirts


Get to Know Your Customers

As a retailer, your goal should always be to exceed the wants and needs of your customers and when you only provide your customers with basic site search this goal cannot be achieved.

The best way to truly get to know your customers is to learn what they are searching for and this can be done through your site search reports and analytics. These reports list all search terms entered on your site, and the number of times words and phrases have been searched. You can also review real-time reports on the most and least popular searched terms. These reports can be reviewed daily, weekly or monthly and they provide insight into how your eCommerce site can improve its on-site search experience, by understanding what your customers are searching for.

By reviewing your sites reports, you can see what terms are in top demand and what products are performing well. By having access to this information, you can optimize your site and showcase your top performing items.

By providing your customers with a more intuitive search and navigation, you’ll not only encounter higher conversion rates, but you’ll also develop a stronger relationship with your customers which will encourage them to come back and shop with you in the future.

This article was written by Ainsley Smith, a marketing coordinator at Nextopia. Nextopia provides site search, navigation and merchandising solutions for internet retailers.

New Zend Framework 1 Security Vulnerability

 

A new vulnerability has been found in a Zend Framework 1 and 2 EMAIL COMPONENT. The component is used by all Magento 1 and Magento 2 software and other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.

To protect your site from this vulnerability, you should immediately check your mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from your Magento store:

  • Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
  • Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. Enterprise Cloud Edition customers do not need to worry about this issue. We’ve already checked your configuration and you are not at risk.

While we have not yet observed attacks using this vulnerability, the risk is very high. Until patches are available, we strongly recommend that you turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.

Original Source:  https://magento.com/security/news/new-zend-framework-1-security-vulnerability

Vulnerability Announcement: Dirty COW (CVE-2016-5195)

dirty-cow

Dirty COW, also known as  CVE-2016-5195 is a serious vulnerability that affects most Linux Systems.  It’s a silly name for what happens to be a serious problem.

CVE-2016-5195 describes a privilege escalation vulnerability in the Linux Kernel that can allow a local user (like a web hosting account) to gain root access to the server. This can make a bad problem worse – if a Magento store is compromised, it can lead to the attacker taking over the entire server.

The vulnerability is present in all major Linux distributions.  What’s worse, attacks have been observed ‘in the wild’, even before patches were made available.

JetRails Magento clients with eBoundHost are not affected.

Read more about Dirty Cow here:  https://magento.com/security/vulnerabilities/new-linux-operating-system-vulnerability

Magento Security Announcement Reminder: SUPEE-8788

 

Magento has released a new patch that covers critical vulnerabilities.

 

Magento has released a new patch, SUPEE-8788, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site. 

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.


ANNOUNCEMENT FROM MAGENTO:

SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Information on additional functional enhancements available the new 1.14.3 and 1.9.3 releases is available in the ENTERPRISE EDITION and COMMUNITY EDITION RELEASE NOTES.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.2.4: SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
  • Community Edition 1.5.0.1-1.9.2.4: SUPEE-8788 or upgrade to Community Edition 1.9.3

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.3 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3
SUPEE-8788 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – October 2016

Enterprise Edition Merchants:

Enterprise Edition 1.14.3 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3
SUPEE-8788 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – October 2016

Community Edition Merchants:

Community Edition 1.9.3 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab
SUPEE-8788 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab > Magento Community Edition Patches – 1.x Section

 

Scaling Magento With Hardware – Dedicated Servers

jetrailscluster

This morning, I spoke with a customer who wants to prepare their environment for the upcoming holiday season.  Their Magento site is becoming an unexpected success story, growing by leaps and bounds, so they need a more robust hosting environment to keep up with their growth.  They were concerned about the difficulty of scaling on “bare metal” (meaning not-in-the-cloud) dedicated servers.

eBoundHost can seamlessly “scale up” your environment to prepare for holiday traffic and then back down again after the holidays are over.

The Amazon marketing team did a great job of putting out the message that you can only scale on AWS but it’s simply not true.  No matter where you host the same work has to be done to size, test, integrate and maintain the environment.  All of this work still has to be done on a public cloud and you would have to do it yourself. Its even easier to scale on the JetRails® platform because our engineers handle the entire process, you pick up the phone and we take care of it all.

Additionally, bare metal environment performs much better than comparable cloud packages because there is a virtualization penalty and time-share restrictions for CPU, RAM and disk I/O in the cloud.  With bare metal all the resources are fully yours, available at any time.

Dedicated hardware resources are less expensive to operate than a cloud environment.  In order to account for the uneven usage of the cloud, AWS deployments are typically 2-3 times more expensive than comparable bare metal servers.  There is simply no magic, the cloud is just servers in someone’s data center.

Expert help is always available.  If you have more questions about scaling for holiday traffic, call us (800) 554-9990.

Meet us at Imagine Magento eCommerce Conference in Las Vegas

imagine2016

eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 11th – 13th).  Now in its 6th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2016 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

 

Magento Security Announcement : SUPEE-7405 v1.1

Screen Shot 2015-10-27 at 7.01.56 PM

***If you need any assistance with security patch updates, please send an email to: support@eboundhost.com or contact your Account Manager at eBoundHost.

ANNOUNCEMENT FROM MAGENTO:

 

Today, we are distributing updates that improve our most recent security release. SUPEE-7405 v1.1, Enterprise Edition 1.14.2.4, and Community Edition 1.9.2.4 add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release. They DO NOT address any new security issues.

More information is provided on the Magento Security Center and in the Enterprise Edition and Community Edition release notes. All merchants must deploy the patch or upgrade to the new versions, even if they have not experienced any issues, to maintain compatibility with future releases. SUPEE-7405 v1.1 must also be deployed on top of the previous patch.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.2.3: SUPEE-7405 v1.1 or upgrade to Enterprise Edition 1.14.2.4
  • Community Edition 1.5.0.0-1.9.2.3: SUPEE-7405 v1.1 or upgrade to Community Edition 1.9.2.4


DOWNLOADING THE UPDATES

To download a patch or release, choose from the following options:

  • Partners:
  • Enterprise Edition 1.14.2.4
  • Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.2.4
  • SUPEE-7405 v1.1
  • Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2016 
  • Enterprise Edition Merchants:
  • Enterprise Edition 1.14.2.4
  • My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.2.4
  • SUPEE-7405 v1.1
  • My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2016
  • Community Edition Merchants:
  • Community Edition 1.9.2.4
  • SUPEE-7405 v1.1

Merchants should be sure to install all previous patches, if they haven’t done so already, and use this occasion to do a security assessment of their systems in accordance with our Security Best Practices. Patches should be installed and tested in a development environment before being put into production. More information on installing patches for Magento 1.x is available online.

Thank you for your attention and continued support.

Best regards,

The Magento Team