Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.18, 2.1.12, 2.2.3 and Magento Open Source 2.0.18, 2.1.12, 2.2.3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.3.

Please refer to Security Best Practices for additional information how to secure your site.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:
https://magento.com/security/patches/magento-223-2112-and-2018-security-update

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), and other issues. These releases also include small functional fixes listed in the release notes.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10570

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10415

11 Updates:

APPSEC-1330: Unsanitized input leading to denial of service
APPSEC-1885: Stored XSS in Product Descriptions
APPSEC-1892: Stored XSS in Visual Merchandiser
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
APPSEC-1913: Remote Code Execution through Config Manipulation
APPSEC-1914: Stored XSS in CMS Page Area
APPSEC-1915: Remote Code Execution in CMS Page Area
APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

Magento Commerce and Open Source 2.2.1, 2.1.10 and 2.0.17 contain multiple security enhancements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/magento-221-2110-and-2017-security-update

10 Updates:

APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
APPSEC-1910: Local File Inclusion (LFI) in Import History
APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion

At 12:04 pm CST (GMT -6), one of the major ISPs in the USA, Comcast, experienced “an external network issue” that caused a portion of the Internet to become inaccessible to users.  Comcast has such a wide reach that both individuals and businesses were impacted.  To those affected, it seemed that some websites went off-the-air and simply did not respond.

Comcast announced that issues were resolved at 4:34 pm CST.

Check http://downdetector.com/status/comcast-xfinity/map/ for comments from those impacted.

Shop.org is the annual e-commerce conference for digital retail thinkers and doers!  In an era where constant evolution is required to stay ahead of consumers, this event is bringing some of the most fascinating people, brands and thought-leaders to share stories of reinvention, transformation and steal-worthy ideas for making an impact in the e-commerce world today.

View the agenda:  https://shop.org/agenda

If you are going to be there or if you would like us to research any Magento related topics, let us know by filling out our contact form:

https://eboundhost.com/magento/contact-us.php

Our primary objectives at Shop.org are getting new insights on:

• Better search engine ranking due to faster infrastructure and rapid content delivery
• Higher conversion rates due to reduced friction and faster response times
• Reduction of operational burdens
• E-commerce focused best practices for operations
• Best-of-breed technological integration

Additional topics that will be covered for our customers:

• Omnichannel profitability
• Personalizing Amazon
• The best alternative to Amazon
• “I have to double my business this year, how do I do it?”
• Sourcing new customers with artificial intelligence
• Real-time analytics for Magento
• Improving Magento speed
• Online journey hijacking: The problem, the scale, and the solution

Let us know what your challenges are.  We’re here to help.

13 Updates:

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

On Thursday, September 7th a group of scammers sent emails phishing for CloudFlare credentials. The email appears to come from “Cloudflare Abuse Department”, but you will see that the email did not actually come from Cloudflare.  It came from a freshdesk email account which is not associated with Cloudflare.

The email also contains a link to lead the recipient to review the complaint and takes them to https://cloudflarecompliancedept.site/support/.

The site looks like the Official Cloudflare login page and even has an SSL certificate that appears to be valid.  Upon investigation, the SSL certificate is a free certificate that can be obtained easily.

You can even find the fake freshdesk login page by visiting https://cloudflareabuse.freshdesk.com/support/home

This phishing attempt was very well thought out, all the way down to the smallest detail.  To the average person opening their emails, it would be very difficult to identify this as  malicious.

What you can do

While the malicious email looked completely legit, there was one key giveaway: The mail was sent from a domain that is not associated with Cloudflare.

If you received an email from support@cloudflareabuse.freshdesk.com, report it as phishing by notifying your email provider. Then delete it.

If you do click on the malicious link, do not attempt to log into the account.

If, unfortunately, you fell for the scam and granted permission to the hackers,  get in touch with CloudFlare directly.  While you’re at it, it’s a good idea to change your passwords.

Here is the official Cloudflare link to visit if you encounter the scam:
https://support.cloudflare.com/hc/en-us/articles/200167736-How-do-I-file-a-phishing-complaint-

Rest assured that the eBoundHost JetRails eCommerce Team is actively working with Cloudflare on this discovery.  As of 12:54 PM CST, it appears that the malicious domain was taken down.  That does not mean the original attacker is not still active.  Please take caution with any emails and access points and reach out to the JetRails team with any questions or concerns:  888-554-9990 or support@eboundhost.com

Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.  Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

Today, Magento is releasing new updates to increase product security and functionality. The releases contain over 15 security enhancements and Magento 2.x updates that also address image resizing and MasterCard BIN number expansion. We strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.

These releases include:

• Multiple critical security enhancements. These updates help close access control bypass, CSRF, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.14 and 2.1.7 Security Patches and SUPEE-9767 Security Patches for more information.

• Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN). While certain Magento versions already support the new BINs, merchants using the following versions must upgrade or apply a patch by June 30, 2017 or face potential fines from MasterCard and lost sales:
  • Enterprise and Community Edition 2.1.2 or earlier
  • All Enterprise and Community Edition 2.0.x releases
  • Enterprise Edition 1.14.2.x or earlier releases
  • Community Edition 1.9.2.x or earlier releases

More information is available at MasterCard BIN Range Update.

• Reversion of the changes to image resizing that we introduced in Magento 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update. See the Magento 2.1.7 Enterprise Edition Release Notes for additional information you may need to take when upgrading from Magento 2.1.6 or 2.1.5 to this release.

Download and install the Enterprise Edition updates by logging into My Account and navigating to the version you want to download. Community Edition software is available in the Release Archive of the Community Edition download page.

(See How to get the Magento software for a discussion of Magento 2.x installation procedures, and How to Apply and Revert Magento Patches for Magento 1.x instructions.)

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

The eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 3rd – 5th).  Now in its 7th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2017 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

What is Cloudbleed?

Cloudbleed (also known as CloudLeak and CloudFlare Bug) is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from one Cloudflare customer were leaked out and went to any other CloudFlare customers that happened to be in the server’s memory on that particular moment. Some of this data was cached by search engines.

Are eBoundHost customers affected by Cloudbleed?

We have confirmed that none of our clients are affected by CloudBleed.  You can read Cloudflare’s official description of Cloudbleed here.

Magento has released a new patch, SUPEE-9652, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.

In 2017, it’s expected that online shopping revenue will surpass $1.5 trillion in worldwide sales, making the eCommerce industry one of the most valuable and profitable industries. Significant advancements in mobile and social shopping have altered the way we shop, and now it’s possible for consumers to shop instantaneously from their favorite designers from virtually anywhere all thanks to a few quick taps on their smartphones.

However, despite this projected growth, many retailers still fail at providing their customers with an exceptional online shopping experience, which can result in significantly low conversion rates.

To ensure all retailers are making the most of their on-site search and providing their customers with an exceptional shopping experience, we’ve put together five powerful tips that are proven to increase conversion rates and turn more browsers into buyers.

Have all Eyes on Your Search Box

The search box is an often overlooked yet powerful feature of an eCommerce store. The site search box is the pathway to improved sales, better user experience, and most importantly, higher conversion rates. If a shopper struggles to locate the search box, chances are they’ll abandon ship and head to a competitor’s site to complete their purchase, so having an easy to locate search box is key.

Here are two ways to improve conversions with your search box:

1. Bold Placement

The first step to having a high-performing search box is to place it in a noticeable and convenient location where site visitors can locate it as soon as they arrive at your site.  The best spot is typically in the header of a web page, where it can be free from clutter and any distractions.

1. Clean Design
   A search box with a clean design and clear instructions will entice users to perform a search. Take the time to ensure that all search fields (input field and ‘submit’ button) are clearly differentiated and easy to locate. Retailers should also include a recognizable search icon (a magnifying glass tends to work best) to help entice visitors to follow through with their search.

Include Autocomplete
Site search enhancement tools like autocomplete are a great addition to an eCommerce site because it helps direct customer to their desired product quickly and seamlessly. Autocomplete shows fast, accurate, and intelligent search results as soon as the customer begins typing – even if a spelling mistake has been made – and is proven to increase conversions and sales for online retailers.

Optimize the ‘No Results Found’ Page

When a customer searches for an item that either isn’t in stock or that you don’t carry, rather than directing them to the dreaded ‘no results found’ page send them to an optimized landing page that will prevent them from abandoning the site and potentially lead to a sale.

You can prevent this from happening by providing similar product recommendations that they might find interesting and relevant or links back to the homepage, category pages, or the contact us page. This will help prevent visitors from leaving to go search on a competitor’s site and in turn, potentially lead to an increase in conversions.

Feature Product Images in Search Bar Results
To further improve your online site search, it’s important to include product images in the search results so site visitors can see products that are available without having to search through the product pages. Make sure that your product photos are clear in thumbnail form, and are flattering to your product. The chances of a customer buying increases when images are displayed along with a product description. Showing product images along with suggested search terms in your autocomplete will further help turn browsers into buyers.

Get to Know Your Customers

As a retailer, your goal should always be to exceed the wants and needs of your customers and when you only provide your customers with basic site search this goal cannot be achieved.

The best way to truly get to know your customers is to learn what they are searching for and this can be done through your site search reports and analytics. These reports list all search terms entered on your site, and the number of times words and phrases have been searched. You can also review real-time reports on the most and least popular searched terms. These reports can be reviewed daily, weekly or monthly and they provide insight into how your eCommerce site can improve its on-site search experience, by understanding what your customers are searching for.

By reviewing your sites reports, you can see what terms are in top demand and what products are performing well. By having access to this information, you can optimize your site and showcase your top performing items.

By providing your customers with a more intuitive search and navigation, you’ll not only encounter higher conversion rates, but you’ll also develop a stronger relationship with your customers which will encourage them to come back and shop with you in the future.

This article was written by Ainsley Smith, a marketing coordinator at Nextopia. Nextopia provides site search, navigation and merchandising solutions for internet retailers.

Dirty COW, also known as  CVE-2016-5195 is a serious vulnerability that affects most Linux Systems.  It’s a silly name for what happens to be a serious problem.

CVE-2016-5195 describes a privilege escalation vulnerability in the Linux Kernel that can allow a local user (like a web hosting account) to gain root access to the server. This can make a bad problem worse – if a Magento store is compromised, it can lead to the attacker taking over the entire server.

The vulnerability is present in all major Linux distributions.  What’s worse, attacks have been observed ‘in the wild’, even before patches were made available.

JetRails Magento clients with eBoundHost are not affected.

Read more about Dirty Cow here:  https://magento.com/security/vulnerabilities/new-linux-operating-system-vulnerability

Magento has released a new patch, SUPEE-8788, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site. 

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.

ANNOUNCEMENT FROM MAGENTO:

This morning, I spoke with a customer who wants to prepare their environment for the upcoming holiday season.  Their Magento site is becoming an unexpected success story, growing by leaps and bounds, so they need a more robust hosting environment to keep up with their growth.  They were concerned about the difficulty of scaling on “bare metal” (meaning not-in-the-cloud) dedicated servers.

eBoundHost can seamlessly “scale up” your environment to prepare for holiday traffic and then back down again after the holidays are over.

The Amazon marketing team did a great job of putting out the message that you can only scale on AWS but it’s simply not true.  No matter where you host the same work has to be done to size, test, integrate and maintain the environment.  All of this work still has to be done on a public cloud and you would have to do it yourself. Its even easier to scale on the JetRails® platform because our engineers handle the entire process, you pick up the phone and we take care of it all.

Additionally, bare metal environment performs much better than comparable cloud packages because there is a virtualization penalty and time-share restrictions for CPU, RAM and disk I/O in the cloud.  With bare metal all the resources are fully yours, available at any time.

Dedicated hardware resources are less expensive to operate than a cloud environment.  In order to account for the uneven usage of the cloud, AWS deployments are typically 2-3 times more expensive than comparable bare metal servers.  There is simply no magic, the cloud is just servers in someone’s data center.

Expert help is always available.  If you have more questions about scaling for holiday traffic, call us (800) 554-9990.

eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 11th – 13th).  Now in its 6th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2016 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

***If you need any assistance with security patch updates, please send an email to: support@eboundhost.com or contact your Account Manager at eBoundHost.

ANNOUNCEMENT FROM MAGENTO: