Magento Sites Using Nginx And The Magmi Data Import Tool Are At Risk

Misconfigured Magento Sites Using Nginx

Some misconfigured Magento sites using Nginx web server software are vulnerable to attacks. The misconfiguration allows outside access to Magento cache files. The cache files have predictable names and can contain sensitive information, including Magento database passwords. This information can be used to obtain access to an installation and customer information.

To address this issue when using Nginx or any other web server software other than Apache, you should make sure your client’s configuration file protects directories and files properly. Magento Security Best Practices includes information on configuring the server environment. 

Please work with your clients to update their server configuration files as soon as possible to address this vulnerability.

Unsecure Magmi Data Import Tool

It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your clients’ production websites or limit access to it based on IP address or password.

 Source:  magento.com

Tom P October 9, 2015