Retrofitting Two Factor Authentication To An Existing Magento 2 Installation

Published: March 24, 2019

Enabling forced two-factor authentication for the Magento admin panel is a great way to improve security. However, with the current mechanics of Magento’s two-factor authentication module simply flipping the switch in your stores admin panel still leaves a gap in your system’s security.

Redis Service Management with requirepass AUTH enabled

Published: March 11, 2019


While reviewing a plan to introduce requirepass AUTH to a Redis instance prepared by a co-worker I came across the following note:

Will not set up init scripts, as starting/stopping Redis with AUTH directive enabled requires password

This didn’t smell right to me, so I decided to take a look at the issue with my co-worker.

Magento UI Component Magical Data Providers

Published: February 27, 2019


UI components are notoriously one of the most painful aspects of working with Magento 2.

One aspect that’s thrown me for a loop is the “magical data providers”. For example, if you look at vendor/dotdigital/dotmailer-magento2-extension/view/adminhtml/ui_component/dotdigitalgroup_order_grid.xml you’ll see the following…

<dataSource name="order_report_grid_data_source">
    <!--The data source-->
    <argument name="dataProvider" xsi:type="configurableObject">
        <argument name="class" xsi:type="string">Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider</argument>

But how could the Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider class be responsible for providing data to the order report grid?

On Magento Module Vulnerabilities

Published: February 7, 2019

The topic of Magento module security has been heating up. Here are just a few things that have happened recently:

I have some strong thoughts on the matter which I haven’t been shy about sharing in the past…

Here, I want to express them in long form.

FCGI_PARAMS FastCGI record format

Published: February 4, 2019


Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s security.limit_extensions value. Using Wireshark I knew I needed to edit an FCGI_PARAMS record.

Screenshot showing an FCGI_PARAMS record in Wireshark

However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a FCGI_PARAMS record.

Fortunately, after going through the a FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…

Inspecting FastCGI Packets with Wireshark

Published: January 30, 2019

Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.

Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.

Image from Wireshark FastCGI Wiki showing pcap with detailed FastCGI info

However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.

Screenshot showing a FastCGI pcap in Wireshark without proper FastCGI info