Enabling forced two-factor authentication for the Magento admin panel is a great way to improve security. However, with the current mechanics of Magento’s two-factor authentication module simply flipping the switch in your stores admin panel still leaves a gap in your system’s security.
While reviewing a plan to introduce requirepass AUTH to a Redis instance prepared by a co-worker I came across the following note:
Will not set up init scripts, as starting/stopping Redis with AUTH directive enabled requires password
This didn’t smell right to me, so I decided to take a look at the issue with my co-worker.
UI components are notoriously one of the most painful aspects of working with Magento 2.
I had some folks ask me about Magento 2's UI Component recently and realized everything I wrote about (now two years ago) has fled my head -- and I'm not sure I want to let it back in. https://t.co/Ubi9KVA1I0https://t.co/jtlTvuKEF9— Alan Storm (@alanstorm) August 28, 2018
One aspect that’s thrown me for a loop is the “magical data providers”. For example, if you look at
vendor/dotdigital/dotmailer-magento2-extension/view/adminhtml/ui_component/dotdigitalgroup_order_grid.xml you’ll see the following…
<dataSource name="order_report_grid_data_source"> <!--The data source--> <argument name="dataProvider" xsi:type="configurableObject"> <argument name="class" xsi:type="string">Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider</argument> ...
But how could the
Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider class be responsible for providing data to the order report grid?
The topic of Magento module security has been heating up. Here are just a few things that have happened recently:
I have some strong thoughts on the matter which I haven’t been shy about sharing in the past…
So I think a requirement that @ext_dn should impose is around proper disclosure of vulnerabilities in modules.— Max Chadwick (@maxpchadwick) November 27, 2018
Here, I want to express them in long form.
Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s
security.limit_extensions value. Using Wireshark I knew I needed to edit an
However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a
Fortunately, after going through the a
FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…
Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.
Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.
However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.