We’d like to alert you to two potential security vulnerabilities that may affect your customers.
Misconfigured Magento Sites Using Nginx
Byte.nl recently reported that some misconfigured Magento sites using Nginx web server software are vulnerable to attacks. The misconfiguration allows outside access to Magento cache files. The cache files have predictable names and can contain sensitive information, including Magento database passwords. This information can be used to obtain access to an installation and customer information.
To address this issue when using Nginx or any other web server software other than Apache, you should make sure your client’s configuration file protects directories and files properly. Magento Security Best Practices includes information on configuring the server environment. You can also find an example of a configuration file for Nginx at https://gist.github.com/
Please work with your clients to update their server configuration files as soon as possible to address this vulnerability.
Unsecure Magmi Data Import Tool
It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your clients’ production websites or limit access to it based on IP address or password.
You can also check your clients’ sites for other security vulnerabilities athttp://magereport.com. This is a Magento community project that is not affiliated with Magento.