Category Archives: Hosting

Magento Releases SUPEE-10975 Patch, Magento Commerce 1.14.4, Open Source 1.9.4, and 2.3.0

 

Last week, Magento had quite a few new updates for Magento 1 and Magento 2. These new releases incorporate valuable updates for security and site functionality.

For Magento 1, security patch SUPEE-10975 was released alongside Magento Commerce version 1.14.4.0 and Open Source 1.9.4.0. All three contain multiple security enhancements that help mitigate remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities. For additional details, please feel free to check out the following resources:

The latest version of Magento 2 has been released as well, Magento 2.3.0. Their newest version comes with several new tools to improve the user experience for both merchants and developers. Below, is a list of some of the key new features:

  • Multi-Source Inventory: allows you to manage inventory across several physical locations from within the Magento Admin
  • Progressive Web Apps (PWA) Studio: gives you the tools to affordably build an exceptional mobile experience
  • Page Builder: provides you drag and drop tools to allow non-technical users the ability to generate content easily

For more information regarding Magento 2.3.0, please feel free to check out Magento’s blog, Magento 2.3: New Tools to Fuel Growth in 2019, the Magento 2.3.0 Release Notes, and the JetRails Blog posts with information about recent Magento News, and information shared at Meet Magento NYC 2018.

If you have any questions, please let us know. Also, make sure to test thoroughly before updating your production sites as extensions or custom code might require additional modifications.

Magento PHP 7.2 Patch Release

Magento released a PHP patch enabling Magento 1 users to utilize PHP 7.2. This patch was released as PHP 5.6 and 7.0 will be reaching their end of life this December. This means that they will no longer receive security updates. The PHP 7.2 patch allows Magento 1 users the ability to remain secure and compliant past the end of life of PHP 5.6 and 7.0 in December.

On September 18, Magento released important updates and a security patch for Magento 1. This previous release provided support and maintenance for Magento 1 websites that have not yet upgraded to Magento 2. Magento 1 will continue to receive software and security maintenance until June 2020 according to Magento’s technical information page.

If you have any questions, please let us know. Also, make sure to thoroughly test in development before updating your production sites as extensions or custom code might require additional modifications. This patch may also require previous security patches to be applied prior to the installation based on your current version of Magento:

________________________________

Magento Community

  • 1.9.2.0 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405, SUPEE-6788, SUPEE-6482
  • 1.9.2.1 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405, SUPEE-6788
  • 1.9.2.2 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405
  • 1.9.2.3 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1
  • 1.9.2.4 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2
  • 1.9.3.0 – Patch requirements: SUPEE-9652, SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.9.3.1 – Patch requirements: SUPEE-9652, SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.9.3.2 – Patch requirements: SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.9.3.3. (Skipped because of deprecation)
  • 1.9.3.4 – Patch requirements: SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.9.3.5 (Doesn’t exist)
  • 1.9.3.6 – Patch requirements: SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.9.3.7 – Patch requirements: SUPEE-10570v2, SUPEE-10752
  • 1.9.3.8 – Patch requirements: SUPEE-10570v2, SUPEE-10752
  • 1.9.3.9 – – No patch requirements –

________________________________

Magento Commerce

  • 1.14.2.0 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1, SUPEE-6788, SUPEE-6482, SUPEE-6285, SUPEE-5994
  • 1.14.2.1 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1, SUPEE-6788
  • 1.14.2.2 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1
  • 1.14.2.3 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1
  • 1.14.2.4 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2
  • 1.14.3.0 – Patch requirements: SUPEE-9652, SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.1 – Patch requirements: SUPEE-9652, SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.2 – Patch requirements: SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.3 – Patch requirements: SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.4 – Patch requirements: SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.5 (Doesn’t exist)
  • 1.14.3.6 – Patch requirements: SUPEE-10415, SUPEE-10570v2, SUPEE-10752
  • 1.14.3.7 – Patch requirements: SUPEE-10570v2, SUPEE-10752
  • 1.14.3.8 – Patch requirements: SUPEE-10570v2, SUPEE-10752
  • 1.14.3.9 – No patch requirements –

New Magento Releases and Security Patch Update

Magento released new versions of Magento Commerce, Magento Open Source and a new security patch for Magento 1.x. These new releases will lock down cross-site scripting, cross-site request forgery, provide multiple performance enhancements, and address other security concerns.

The following was included in the release:

  • Magento Open Source Commerce 2.2.6
  • Magento Open Source and Commerce 2.1.15
  • Magento Open Source 1.9.3.10
  • Magento Commerce 1.14.3.10
  • SUPEE-10888 to patch earlier Magento 1.x versions

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information on how to secure your site. If you need any assistance with security patch updates, please send an email to magento@eboundhost.com or contact your Account Manager at eBoundHost.

For more information regarding the security changes, please check out the following resources from Magento:

For full details regarding the new Magento Commerce and Open Source, please check out their release notes:

Magento 2.2.5 and 2.1.14 Security Update

Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information how to secure your site.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost. Visit the official Magento site for more details:

15 Updates:

APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)APPSEC-2054: Remote Code Execution (RCE) via product import

APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)

APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)

APPSEC-2048: SQL Injection through API

APPSEC-2025: Arbitrary File Delete via Product Image

APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote

APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)

APPSEC-2070: Directory Traversal in Product Import

APPSEC-2062: Remote Code Execution (RCE) through dev tools

APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)

APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)

APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)

APPSEC-1716: X-Frame-Options missing from templates

APPSEC-1993: IP Spoofing

 

Google Chrome Announces Important Security Updates Required by July 2018

The date is fast approaching for Google’s deadline to encrypt your site. This will include acquiring an SSL Certificate and moving to HTTPS. If these steps are not taken, it could impact your customers, your SEO rankings and ultimately, your reputation.

Maintaining the security and compliance of your site is a top priority for our team. If you require any assistance, our dedicated Magento engineers are available 24/7 to offer support and guidance. Please take a few minutes to learn more about these requirements below and feel free to reach out to us if you have any questions.  

Security Requirements

If your site is not fully compliant with these requirements, you have until July 2018 to make the necessary modifications. Not sure if your site will be impacted or how to become compliant?  Here is a step-by-step guide to verify and update your site’s security protocols.

SSL Certificates

If you do not currently have an SSL Certificate, you will need to purchase one as a first step in gaining security compliance. We provide free SSL Certificates and installation to all our Magento Clients.

If you do have an SSL Certificate but your site is using a SSL/TLS Certificate from Symantec that was issued before June 1, 2016, it will stop functioning as a secure site in Chrome 70 this coming July. This could already be impacting your customers.

Symantec SSLs that were issued before June 1, 2016, utilized an older Secure Hash Algorithm (SHA-128) which came equipped with a renewal date that extended past Google’s preferred expiration timeframe. To be compatible with the release of Google Chrome 70, requirements for SSL Certificates will need to be updated to the newest version (SHA-265). You will want to replace your certificate as soon as possible before the Chrome 70 release. If the certificates are not replaced, users will begin seeing certificate errors on your site. If you are unsure if you have the latest version of SSL certification, continue reading to learn how you can verify your compliance.   

Testing Your Site For Compliance

To gain HTTPS full encryption compliance, your first step is to ensure your SSL Certificate is up to date. You can test the security of your site and your SSL status by going to Qualys SSL Labs. The desired outcome is to receive an “A” in all 4 sections. The sections include Certificate, Protocol Support, Key Exchange, and Cipher Strength. Receiving a passing score in all four sections means that your SSL Certificate will function securely under the Chrome 70 release. This will also be important for gaining and maintaining PCI Compliance. Our servers are configured to be fully secured and HTTPS encrypted out of the box.

How to Gain SSL Certificates and HTTPS Compliance

As a fully managed service provider, eBoundHost – JetRails can assist you in purchasing and installing your SSL Certificate. We can also help you manage your encryption configurations through our technology stack. However, your development team will need to ensure all required coding is ready for HTTPS.

Additional Resources:

https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

 

 

 

 

 

Magento 2.2.3, 2.1.12 and 2.0.18 Security Update

Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.182.1.122.2.3 and Magento Open Source 2.0.182.1.122.2.3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.3.

Please refer to Security Best Practices for additional information how to secure your site.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:
https://magento.com/security/patches/magento-223-2112-and-2018-security-update

Magento Security Patch Update: SUPEE-10570

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), and other issues. These releases also include small functional fixes listed in the release notes.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10570

 

Magento Security Patch 10415 Reminder

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10415

11 Updates:

APPSEC-1330: Unsanitized input leading to denial of service
APPSEC-1885: Stored XSS in Product Descriptions
APPSEC-1892: Stored XSS in Visual Merchandiser
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
APPSEC-1913: Remote Code Execution through Config Manipulation
APPSEC-1914: Stored XSS in CMS Page Area
APPSEC-1915: Remote Code Execution in CMS Page Area
APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

Magento Security Announcement Reminder

Magento has released a new patch that covers critical vulnerabilities.

Magento Commerce and Open Source 2.2.1, 2.1.10 and 2.0.17 contain multiple security enhancements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/magento-221-2110-and-2017-security-update

10 Updates:

APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
APPSEC-1910: Local File Inclusion (LFI) in Import History
APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion

Comcast Outage, November 6th, 2017

At 12:04 pm CST (GMT -6), one of the major ISPs in the USA, Comcast, experienced “an external network issue” that caused a portion of the Internet to become inaccessible to users.  Comcast has such a wide reach that both individuals and businesses were impacted.  To those affected, it seemed that some websites went off-the-air and simply did not respond.

Comcast announced that issues were resolved at 4:34 pm CST.

Check http://downdetector.com/status/comcast-xfinity/map/ for comments from those impacted.

Magento Sites – A Must-Do List To Prepare For Black Friday

How much revenue will you lose this holiday season if your Magento site goes down because of too much visitor traffic?  Prevent this by following our Magento Hosting Checklist.

 

“75 percent of all smartphone and tablet users said they would abandon a retailer’s mobile site or app if it was buggy, slow or prone to crashes.”

CNBC Poll

Black Friday is coming fast.  With many shoppers streaming to your store, more than just your products and pricing will be evaluated. Customers are unwittingly also making decisions based on how quickly your site responds. If your server is slow or crashing due to an unusually high number of customers visiting your website, they are likely to abandon their cart. Don’t let your hard earned marketing dollars go to waste. Follow these simple steps to ensure that the busiest time of the year is also going to be your most profitable and least frustrating.

Magento Hosting Checklist – Preparing Your Site for Black Friday

  1. Test your site
  2. Estimate traffic
  3. Increase capacity of your web servers and database
  4. Block malicious bot abuse
  5. Add Magento booster servers to handle traffic spikes
  6.  Contact Us If you need a turn-key solution

Test Your Site

With heavy spikes in traffic around the holiday season, your site can become slow with an increase in page loading times. The speed of your site can affect your bottom line. Run a load test on your site to determine the relationship between page load times and visitors.  Be careful not to disrupt your business during high volume hours if you are testing the production site – this can cause the site to become slow or even go down. Ideally, run the load test on your staging server.  There are various tools out there that you can use for load testing.  Let’s look at an example below that was benchmarked with Load Impact.

Notice the yellow arrow in the simulation below?  This test revealed that the page load times started to increase with about 400 users.  Now, look at the red arrow.  Page load times shot up to almost 20 seconds with approx. 480 simulated visitors.

If your marketing efforts lead to an increase in traffic (more than 400 users in this example), then you need to consider adding an extra booster server so you don’t lose out on any conversions. Let our Magento experts run a load test for you.  Send us an email:  magento@eboundhost.com

Estimate Traffic

How much of a traffic spike you can expect this year through your marketing efforts?  Do you plan on doubling, tripling or quadrupling your holiday traffic? Use Google Analytics to obtain your historic web visitor traffic data.

Gather Google Analytics web visitor data

A.  Within Google Analytics, navigate to AUDIENCE > OVERVIEW
B.  Set your date range to:  10/01/2016 – 10/01/2017
C.  Make a note of your highest “Daily Session” value

Example:  The highest daily session value in this screenshot is 1,000.


D. Calculate your “concurrent user” value
Users = Hourly Sessions x Average Session Duration (in seconds) / 3,600

Example: 500 x 60 / 3,600 = Approx. 8

 

Increase Capacity On Your Web Servers and Database

Increase your capacity by adding the appropriate caching technologies. There are several tools such as Varnish, Redis and CloudFlare that can help. One example of a popular front-end caching technology that will speed up your site is Varnish.  There are tutorials and guides available to help you with this.

http://devdocs.magento.com/guides/v2.0/config-guide/varnish/config-varnish-magento.html

Need assistance? Our Magento Success Team is available at  888-554-9990.

Block Malicious Bot Abuse

Block malicious bots/competitors and reduce more load by using a content delivery network.  Cloudflare’s expansive network identifies and blocks bots across 6 million properties with their predictive security feature. Their distribution network is powered by 118 data centers around the world.  You can get a free account by using this link:  https://www.cloudflare.com/plans/

We are proud to partner with CloudFlare.  All of our holiday booster servers include the service and setup of CloudFlare Pro.

 

Add Magento Booster Servers To Handle Traffic Spikes

Add Magento booster servers to handle your traffic spikes and stabilize your site during the holiday season.  Let’s look at an example of what the JetRails® Magento booster servers can do to prepare your site for the busy season.

In this example, we are working off an environment that consists of 2 servers (one web server and one database server).  The addition of 3 Magento JetRails® Booster Servers tripled the visitor capacity during peak times.

 

Contact Us

Make sure your web visitors don’t go to your competitors.  Our Magento Success Team is available to test your site and help you prepare for the holidays.  Load balanced Booster Servers are $500 each and can be set up by our engineers within days.  Contact us or call us at 888-554-9990 to get started now.

 

 

 

 

Meet Us At Shop.org – Researching The Newest Magento eCommerce Tactics

 

 

Shop.org is the annual e-commerce conference for digital retail thinkers and doers!  In an era where constant evolution is required to stay ahead of consumers, this event is bringing some of the most fascinating people, brands and thought-leaders to share stories of reinvention, transformation and steal-worthy ideas for making an impact in the e-commerce world today.

View the agenda:  https://shop.org/agenda

If you are going to be there or if you would like us to research any Magento related topics, let us know by filling out our contact form:

https://eboundhost.com/magento/contact-us.php

Our primary objectives at Shop.org are getting new insights on:

  • Better search engine ranking due to faster infrastructure and rapid content delivery
  • Higher conversion rates due to reduced friction and faster response times
  • Reduction of operational burdens
  • E-commerce focused best practices for operations
  • Best-of-breed technological integration

Additional topics that will be covered for our customers:

  • Omnichannel profitability
  • Personalizing Amazon
  • The best alternative to Amazon
  • “I have to double my business this year, how do I do it?”
  • Sourcing new customers with artificial intelligence
  • Real-time analytics for Magento
  • Improving Magento speed
  • Online journey hijacking: The problem, the scale, and the solution

Let us know what your challenges are.  We’re here to help.

Magento Security Announcement Reminder: SUPEE 10266

Magento has released a new patch that covers critical vulnerabilities.

SUPEE-10266, Magento Commerce (Enterprise) 1.14.3.6 and Open Source (Community) 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

 

13 Updates:

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

CloudFlare Phishing attempt discovered September 7th, 2017

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

On Thursday, September 7th a group of scammers sent emails phishing for CloudFlare credentials. The email appears to come from “Cloudflare Abuse Department”, but you will see that the email did not actually come from Cloudflare.  It came from a freshdesk email account which is not associated with Cloudflare.

 

The email also contains a link to lead the recipient to review the complaint and takes them to https://cloudflarecompliancedept.site/support/.

The site looks like the Official Cloudflare login page and even has an SSL certificate that appears to be valid.  Upon investigation, the SSL certificate is a free certificate that can be obtained easily.

You can even find the fake freshdesk login page by visiting https://cloudflareabuse.freshdesk.com/support/home

This phishing attempt was very well thought out, all the way down to the smallest detail.  To the average person opening their emails, it would be very difficult to identify this as  malicious.

What you can do

While the malicious email looked completely legit, there was one key giveaway: The mail was sent from a domain that is not associated with Cloudflare.

If you received an email from support@cloudflareabuse.freshdesk.com, report it as phishing by notifying your email provider. Then delete it.

If you do click on the malicious link, do not attempt to log into the account.

If, unfortunately, you fell for the scam and granted permission to the hackers,  get in touch with CloudFlare directly.  While you’re at it, it’s a good idea to change your passwords.

Here is the official Cloudflare link to visit if you encounter the scam:
https://support.cloudflare.com/hc/en-us/articles/200167736-How-do-I-file-a-phishing-complaint-

Rest assured that the eBoundHost JetRails eCommerce Team is actively working with Cloudflare on this discovery.  As of 12:54 PM CST, it appears that the malicious domain was taken down.  That does not mean the original attacker is not still active.  Please take caution with any emails and access points and reach out to the JetRails team with any questions or concerns:  888-554-9990 or support@eboundhost.com

 

Magento Security Announcement Reminder: SUPEE 9767

Magento has released a new patch that covers critical vulnerabilities.
Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.  Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

Today, Magento is releasing new updates to increase product security and functionality. The releases contain over 15 security enhancements and Magento 2.x updates that also address image resizing and MasterCard BIN number expansion. We strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.

 

These releases include:

 

 

  • Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN). While certain Magento versions already support the new BINs, merchants using the following versions must upgrade or apply a patch by June 30, 2017 or face potential fines from MasterCard and lost sales:
    • Enterprise and Community Edition 2.1.2 or earlier
    • All Enterprise and Community Edition 2.0.x releases
    • Enterprise Edition 1.14.2.x or earlier releases
    • Community Edition 1.9.2.x or earlier releases

 

More information is available at MasterCard BIN Range Update.

 

  • Reversion of the changes to image resizing that we introduced in Magento 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update. See the Magento 2.1.7 Enterprise Edition Release Notes for additional information you may need to take when upgrading from Magento 2.1.6 or 2.1.5 to this release.

 

Download and install the Enterprise Edition updates by logging into My Account and navigating to the version you want to download. Community Edition software is available in the Release Archive of the Community Edition download page.

 

(See How to get the Magento software for a discussion of Magento 2.x installation procedures, and How to Apply and Revert Magento Patches for Magento 1.x instructions.)

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

 

Meet us at Imagine Magento eCommerce Conference in Las Vegas

The eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 3rd – 5th).  Now in its 7th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2017 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

eBoundHost clients not affected by Cloudbleed

What is Cloudbleed?

Cloudbleed (also known as CloudLeak and CloudFlare Bug) is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from one Cloudflare customer were leaked out and went to any other CloudFlare customers that happened to be in the server’s memory on that particular moment. Some of this data was cached by search engines.

Are eBoundHost customers affected by Cloudbleed?

We have confirmed that none of our clients are affected by CloudBleed.  You can read Cloudflare’s official description of Cloudbleed here.

 

Magento Security Announcement Reminder: SUPEE-9652

Magento has released a new patch that covers critical vulnerabilities.
Magento has released a new patch, SUPEE-9652, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.


ANNOUNCEMENT FROM MAGENTO:

SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.

Information on all the changes in 1.14.3.2 and 1.9.3.2 releases is available in the ENTERPRISE EDITION and COMMUNITY EDITION RELEASE NOTES.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.3.2 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.2
SUPEE-9652 PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2017

Enterprise Edition Merchants:

Enterprise Edition 1.14.3.2 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3.2
SUPEE-9652 MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – Februrary 2017

Community Edition Merchants:

Community Edition 1.9.3.2 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab
SUPEE-9652 COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab > Magento Community Edition Patches – 1.x Section

 

APPSEC-1746 – Remote Code Execution using mail vulnerability
Type: Remote code execution (RCE)
CVSSv3 Severity: 9.8 (Critical)
Known Attacks: None
Description: Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

– use sendmail as the mail transport agent

– have specific, non-default configuration settings as described HERE.

Product(s) Affected: Magento Community Edition prior to 1.9.3.2, and Magento Enterprise Edition prior to 1.14.3.2, Magento 2.1 versions prior to 2.1.4 and Magento 2.0 versions prior to 2.0.12
Fixed In: Community Edition 1.9.3.2, Enterprise Edition 1.14.3.2, SUPEE-9652, Magento 2.1.4, Magento 2.0.12
Reporter: natmchugh

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

5 Tips to Increase Conversions with Site Search – Nextopia Guest Post

In 2017, it’s expected that online shopping revenue will surpass $1.5 trillion in worldwide sales, making the eCommerce industry one of the most valuable and profitable industries. Significant advancements in mobile and social shopping have altered the way we shop, and now it’s possible for consumers to shop instantaneously from their favorite designers from virtually anywhere all thanks to a few quick taps on their smartphones.

However, despite this projected growth, many retailers still fail at providing their customers with an exceptional online shopping experience, which can result in significantly low conversion rates.

To ensure all retailers are making the most of their on-site search and providing their customers with an exceptional shopping experience, we’ve put together five powerful tips that are proven to increase conversion rates and turn more browsers into buyers.

Have all Eyes on Your Search Box

The search box is an often overlooked yet powerful feature of an eCommerce store. The site search box is the pathway to improved sales, better user experience, and most importantly, higher conversion rates. If a shopper struggles to locate the search box, chances are they’ll abandon ship and head to a competitor’s site to complete their purchase, so having an easy to locate search box is key.

Here are two ways to improve conversions with your search box:

  1. Bold Placement

The first step to having a high-performing search box is to place it in a noticeable and convenient location where site visitors can locate it as soon as they arrive at your site.  The best spot is typically in the header of a web page, where it can be free from clutter and any distractions.

  1. Clean Design
    A search box with a clean design and clear instructions will entice users to perform a search. Take the time to ensure that all search fields (input field and ‘submit’ button) are clearly differentiated and easy to locate. Retailers should also include a recognizable search icon (a magnifying glass tends to work best) to help entice visitors to follow through with their search.

 


Include Autocomplete
Site search enhancement tools like autocomplete are a great addition to an eCommerce site because it helps direct customer to their desired product quickly and seamlessly. Autocomplete shows fast, accurate, and intelligent search results as soon as the customer begins typing – even
if a spelling mistake has been made – and is proven to increase conversions and sales for online retailers.

 


Optimize the ‘No Results Found’ Page

When a customer searches for an item that either isn’t in stock or that you don’t carry, rather than directing them to the dreaded ‘no results found’ page send them to an optimized landing page that will prevent them from abandoning the site and potentially lead to a sale.

You can prevent this from happening by providing similar product recommendations that they might find interesting and relevant or links back to the homepage, category pages, or the contact us page. This will help prevent visitors from leaving to go search on a competitor’s site and in turn, potentially lead to an increase in conversions.

Feature Product Images in Search Bar Results
To further improve your online site search, it’s important to include product images in the search results so site visitors can see products that are available without having to search through the product pages. Make sure that your product photos are clear in thumbnail form, and are flattering to your product. The chances of a customer buying increases when images are displayed along with a product description. Showing product images along with suggested search terms in your autocomplete will further help turn browsers into buyers.

 

Luxury Shirts


Get to Know Your Customers

As a retailer, your goal should always be to exceed the wants and needs of your customers and when you only provide your customers with basic site search this goal cannot be achieved.

The best way to truly get to know your customers is to learn what they are searching for and this can be done through your site search reports and analytics. These reports list all search terms entered on your site, and the number of times words and phrases have been searched. You can also review real-time reports on the most and least popular searched terms. These reports can be reviewed daily, weekly or monthly and they provide insight into how your eCommerce site can improve its on-site search experience, by understanding what your customers are searching for.

By reviewing your sites reports, you can see what terms are in top demand and what products are performing well. By having access to this information, you can optimize your site and showcase your top performing items.

By providing your customers with a more intuitive search and navigation, you’ll not only encounter higher conversion rates, but you’ll also develop a stronger relationship with your customers which will encourage them to come back and shop with you in the future.

This article was written by Ainsley Smith, a marketing coordinator at Nextopia. Nextopia provides site search, navigation and merchandising solutions for internet retailers.

New Zend Framework 1 Security Vulnerability

 

A new vulnerability has been found in a Zend Framework 1 and 2 EMAIL COMPONENT. The component is used by all Magento 1 and Magento 2 software and other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.

To protect your site from this vulnerability, you should immediately check your mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from your Magento store:

  • Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
  • Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. Enterprise Cloud Edition customers do not need to worry about this issue. We’ve already checked your configuration and you are not at risk.

While we have not yet observed attacks using this vulnerability, the risk is very high. Until patches are available, we strongly recommend that you turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.

Original Source:  https://magento.com/security/news/new-zend-framework-1-security-vulnerability