Blog | Max Chadwick

On Magento Module Vulnerabilities

Published: February 7, 2019

Tags:

The topic of Magento module security has been heating up. Here are just a few things that have happened recently:

Willem de Groot, the leading researcher tracking malware infections amongst the global Magento install base reported that Magento modules are now the main source of security breaches for Magento sites.
In collaboration with several security-minded individuals (myself included) Willem also published, magevulndb, a repository tracking vulnerabilities in commonly used Magento modules.
The topic of Magento module security is slated for discussion at the DevExchange at the upcoming Magento Live AU conference. The effort is being spearheaded by ExtDN

I have some strong thoughts on the matter which I haven’t been shy about sharing in the past…

So I think a requirement that @ext_dn should impose is around proper disclosure of vulnerabilities in modules.
— Max Chadwick (@maxpchadwick) November 27, 2018

Here, I want to express them in long form.

FCGI_PARAMS FastCGI record format

Published: February 4, 2019

Tags:

Networking

Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s security.limit_extensions value. Using Wireshark I knew I needed to edit an FCGI_PARAMS record.

Screenshot showing an FCGI_PARAMS record in Wireshark

However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a FCGI_PARAMS record.

Fortunately, after going through the a FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…

Inspecting FastCGI Packets with Wireshark

Published: January 30, 2019

Tags:

Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.

Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.

Image from Wireshark FastCGI Wiki showing pcap with detailed FastCGI info

However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.

Screenshot showing a FastCGI pcap in Wireshark without proper FastCGI info

Xdebug Profiler Files Not In xdebug.profiler_output_dir

Published: January 17, 2019

Tags:

PHP

Something that’s tripped up both myself and devs that I’ve worked with is not finding Xdebug profiler files in the expected directory (/tmp by default).

It usually goes something like this…

Enable the Xdebug profiler by adding xdebug.profiler_enable_trigger = 1 to a .ini file.
Make a request with ?XDEBUG_PROFILE =1 in the GET string.
Check for the output file in /tmp
Pull out hair because it’s not there.

This may be accompanied by running a sanity check, only to be accompanied by more hair pulling…

$ php -r 'var_dump(ini_get("xdebug.profiler_output_dir"));'
string(4) "/tmp"

Resuming a Failed MySQL Import

Published: January 8, 2019

Tags:

MySQL

You may have a mysql import fail for any number of reasons. Most recently, I had an import fail with the following error.

ERROR 3 (HY000) at line 270457: Error writing file '/var/lib/mysqltmp/MLTmnake' (Errcode: 28 - No space left on device)

While the error implies that the disk ran out of space during import, the issue was in fact that the disk ran out of inodes.

Regardless of the reason of failure, you likely won’t want to start the import over from the beginning.

Here I’ll provide some tips for resuming the failed import.

Proxying Guzzle Requests Through Tor

Published: December 16, 2018

Tags:

Guzzle is the de facto library for doing HTTP requests in PHP. There may be cases where you’d prefer not to disclose your IP address when using it. You may also be using 3rd party tools and not be in a great position to introduce the proxying at an application level.

Fortunately, all you need to do is set the ALL_PROXY environment variable when running your code.