Magento Safety Tip: Keep Your Data Safe from the Magmi Threat
Last week, security vendor Trustwave reported a zero-day vulnerability with the Magmi plug-in for the Magento e-commerce platform. Attackers can use this exploit to steal your credentials and possibly get complete access to your Magento database. This vulnerability has left many people worried that their Magento stores could be in serious danger.
We will highlight what you need to know about the problem so you can take the steps needed to protect yourself. We will walk you through how you will know whether your site was affected and best practices for ensuring you don’t fall victim to attackers who are exploiting this vulnerability.
What is Magmi?
Many people use the Magmi open source tool to help them to quickly and easily move data into their Magento SQL databases. It allows users to save time importing and updating items in their e-commerce catalogues. The Magmi database client operates directly in SQL and is the result of a deep analysis of the Magento database model.
Magmi is extremely popular. Why? It has a strong reputation for being the fastest and most powerful tool to import and update products in Magento. Magento has its own built-in tool, Magento Dataflow, but it much slower and doesn’t provide the same number of features.
Magmi allows for fast, direct SQL Magento product import and provides flexible csv format support. It can handle multiple store configurations, import remote and locate image import, as well as create categories on the fly based on name/tree descriptions. It can import tier prices as well as customisable options. There are too many great features to list here, but hopefully this gives you a sense for what it can do and why it’s so popular.
While there may be security issues with Magmi, we don’t discourage people from downloading or using it. If you already are using Magmi, you don’t have to stop. You just need to be careful, and we will walk you through what you need to know to stay safe while still benefiting from the great features that Magmi has to offer.
What is the Problem?
Certain versions of Magmi have a directory traversal flaw. This flaw can allow access to other files or directories in a file system. Attackers use this exploit to gain access to a local XML file in Magento that contains all credentials for the platform, as well as encryption keys. Essentially, attackers can then access the entire database for your Magento store, which is a big problem.
Trustwave has reported seeing hundreds of requests for this specific attack coming from just two or three IP addresses. They’re doing scans and automating their attacks. Due to the volume of these attacks, it is assumed that at least some have been successful.
This sounds like bad news for Magmi users, but there’s no need to panic yet. Just because you use Magmi doesn’t necessarily mean that your site is at risk or is currently under attack.
Is My Site at Risk?
How do you know if your security has been compromised? While it has been difficult to determine which specific sites are at risk, Magento has been reaching out to users who may be at risk to notify them of the problem. We understand you might not want to wait around for Magento to contact you with the security of your data on the line. We have some tips to help you figure out if you are at risk.
Let’s start with the good news. If you downloaded Magmi from GitHub, you have nothing to worry about. Trustwave did not find the vulnerability in the GitHub version. On the other hand, if downloaded Magmi from SourceForge, you may need to take immediate action to protect the security of your site.
What if you don’t remember where you downloaded Magmi? One clue is the version number. If you are running Magmi, 0.7.21, last updated in December 2014, then you are at risk for the exploit. If you are running a newer version of Magmi, you should be in the clear.
How Do I Know For Sure?
Thankfully, there are some tools that will help you determine if you are at risk. You can search for this on your own, but here is one tool we located which will help you check whether your site is vulnerable: MageStack Exploit Check.
Even if you are not currently running Magmi, we still encourage you to follow Magento’s security best practices listed below. You can never be too careful. If you are affected, read on to learn what you can do today to protect your site from this vulnerability.
What Do I Do?
There are a few simple things you can do to ensure the security of your Magento store and protect your site from attackers.
Don’t Put Magmi in the Same Root Directory as Magento
Most users will install Magmi in the same directory as Magento according to the The Magmi Wiki installation Guide. You should never do this because that is what opens you up to this vulnerability.
Follow Magento’s Security Best Practices
You should secure the directory to reduce your risk of attack. Magento uses app/etc/local.xml to store the database credentials and encryption key. Securing access to this file is an essential step in securing Magento. For more information, visit Magento Security: Check your app/etc/local.xml file.
If You Plan to Download Magmi, Go to GitHub (Not SourceForge)
If you haven’t yet installed Magmi but still want to take advantage of the tool’s powerful catalogue import and update functionality, you can do that safely by downloading the latest version from GitHub. Whatever you do, don’t download it from SourceForge.
Magento Enterprise Edition Alerts
We’re not sponsored by Magento, but we did learn that Magento Enterprise Edition periodically checks whether your app/etc/local.xml file is externally visible and throws an alert if it is. If you’re already using Magento’s Enterprise Edition, please be on the looking for these alerts.
As of today, the version of Magmi with the zero-day vulnerability is still posted on SourceForge. There were over 690 downloads this week alone. It is clear to see why. Magmi has a lot of great capabilities, people want to try it, and it just so happens that the SourceForge site is the first one that appears when you Google “Magmi”.
While it would be great if the Magmi developer, Sebastien Bracquemont, a software architect in France, could remove the problematic version of Magmi from SourceForge, he has been unresponsive. That is why Magento is contacting its clients about the vulnerability. Magento is in no way responsible for the issue, but is trying to do its part to help its customers.
We also felt it was important to bring you the latest news about this vulnerability because we want our customers to be well-informed about how to protect their sites and maintain the security of their data. Please share any thoughts or questions you may have about the Magmi vulnerability below. We’d love to hear from you!