cancel
Showing results for 
Search instead for 
Did you mean: 

Applying critical security patch - Safe now?

Re: Applying critical security patch - Safe now?

Hi,

 

Once compilation will be off it should be good.

By the way i also added patches for 1.6.x versions to the article

Re: Applying critical security patch - Safe now?

Even with compilation disabled, mine is still reported as vulnerable.

Re: Applying critical security patch - Safe now?

You pose a really good question that is, sadly, not well covered in any documentation I've seen to date.  The short version of my answer is this:  Unforunately, as I discuss below, installing the fixes will not resolve your problem if your Magento site has already been compromised.  They only stop future attacks, They DO NOT DO ANYTHING TO FIX A SYSTEM THAT IS ALREADY COMPROMISED.

 

We've remediated many sites since these exploits were released and to assist the community in responding to them we've documented our research to provide a list of the known attack signatures we have discovered so that you can check your systems for evidence of them and respond accordingly.  Keep in mind we've never seen two compromises that are exactly the same, so there's a chance your particular system might be slightly different - if you discover anything on your system that we don't already have documeted, please share that with us so we can update the attack signature guide.

 

We're working on a toolkit to automate the remediation of these item but it may be a week or two until it's ready for distribution.  In the meantime, we're sharing the knowledge we've acquired working through these compromises with everyone in the community in an effort to make sure everyone is as safe as can be expected.

 

I'm including a 3-Step Compromise Response Process below that we've worked over and over again to get consistent results.  The key assumption you're going to have to make is that you can't know what has or hasn't been compromised until you diff the files in your system against the default source code provided by Magento or a copy you have made in your (Git / Mercurial / SVN) repository.  YOU SHOULD ASSUME that your database and logins have been compromised and go change them all.

 

CRITICAL NOTE: Installing the patches from Magento WILL NOT help you if you have already been compromised.  At best, it will stop ADDITIONAL compromises of the known types, but if you are already compromised then you'll have to BOTH install the patches and remediate your system as we highlight below.

 

Phase 1: Identify the scope of your compromise.  Each and every one of the items I list below are signatures we've discovered on compromised Magento sites specicifally relating to the SUPEE-5344 and SUPEE-5994 vulnerability announcenments.  You need to go through each one and check to see if you find any evidence on it on your system.  Many of them are enough by themselves to allow an attacker to re-enter your systen after you patch it, so you'll have to be dilligent and make sure you don't skip anything or fail to remediate it.

 

Phase 2: Delete what you must, and replace what you can : use the original files from your repository or the Magento source files.  If you're not running one of the latest versions, you can still use the Magento download page to grab older version sources from their site.

 

Phase 3: RESET Credentials: Inventory every use of a login name and password remotely related to your deployment and reset them all, including

  1. Merchant Account Loigins and API Keys
  2. Magento Admin Logins & Passwords
  3. Email account credentials
  4. LDAP / AD  / Primary Authentication System Passwords
  5. EVERYTHING

- You can be reasonably sure that the preceding steps will help you purge infected fies but you can not know if passwords have been sniffed or key logged or the victim of some other attack, so resetting all related credentials is the safest option if you are going to attempt to remediate a compromised system. 

 

The guide is too long to post in this response but the PDF can be downloaded immediately at our GitHub reopsitiory.

 

Sincerely,

 

Bryan “BJ” Hoffpauir

 

<< Signature to be setup in your profile >>

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!



Re: Applying critical security patch - Safe now?

Lita that woiuld probably work, but none of the layering would take place so the patched class wold ONLY inlcude logic from the class that the patched class included.  If any other claesses in the layers above or below extended that class to implement additionla funcitonlaity or overrode it is specific cases to change the default behavior then those changes wolnd't be refelcted in the file in src.

 

None of that might matter as it would depened quite speficically on hat was modified in the class to which you refer.  I just wated to point outthat the compiler doesn't JUST move all the files to one location to gain a performance benefit from not having to rtavers the diretory tree - it also combines and flatten the objects in that tree as well and you'd lose that benefit (however minor it is) as well as potentially other changes made in different clasess if you chose this path.

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!



Re: Applying critical security patch - Safe now?

Lita that woiuld probably work, but none of the layering would take place so the patched class wold ONLY inlcude logic from the class that the patched class included.  If any other claesses in the layers above or below extended that class to implement additionla funcitonlaity or overrode it is specific cases to change the default behavior then those changes wolnd't be refelcted in the file in src.

 

None of that might matter as it would depened quite speficically on hat was modified in the class to which you refer.  I just wated to point outthat the compiler doesn't JUST move all the files to one location to gain a performance benefit from not having to rtavers the diretory tree - it also combines and flatten the objects in that tree as well and you'd lose that benefit (however minor it is) as well as potentially other changes made in different clasess if you chose this path.

 

- Bryan "BJ" Hoffpauir - CTO @ Comit Deveopers - https://comitdevelopers.com

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!