Blog
Retrofitting Two Factor Authentication To An Existing Magento 2 Installation
Published: March 24, 2019
Enabling forced two-factor authentication for the Magento admin panel is a great way to improve security. However, with the current mechanics of Magento’s two-factor authentication module simply flipping the switch in your stores admin panel still leaves a gap in your system’s security.
Redis Service Management with requirepass AUTH enabled
Published: March 11, 2019
While reviewing a plan to introduce requirepass AUTH to a Redis instance prepared by a co-worker I came across the following note:
Will not set up init scripts, as starting/stopping Redis with AUTH directive enabled requires password
This didn’t smell right to me, so I decided to take a look at the issue with my co-worker.
Magento UI Component Magical Data Providers
Published: February 27, 2019
UI components are notoriously one of the most painful aspects of working with Magento 2.
I had some folks ask me about Magento 2's UI Component recently and realized everything I wrote about (now two years ago) has fled my head -- and I'm not sure I want to let it back in. https://t.co/Ubi9KVA1I0https://t.co/jtlTvuKEF9
— Alan Storm (@alanstorm) August 28, 2018
One aspect that’s thrown me for a loop is the “magical data providers”. For example, if you look at vendor/dotdigital/dotmailer-magento2-extension/view/adminhtml/ui_component/dotdigitalgroup_order_grid.xml you’ll see the following…
<dataSource name="order_report_grid_data_source">
<!--The data source-->
<argument name="dataProvider" xsi:type="configurableObject">
<argument name="class" xsi:type="string">Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider</argument>
...
But how could the Magento\Framework\View\Element\UiComponent\DataProvider\DataProvider class be responsible for providing data to the order report grid?
On Magento Module Vulnerabilities
Published: February 7, 2019
The topic of Magento module security has been heating up. Here are just a few things that have happened recently:
- Willem de Groot, the leading researcher tracking malware infections amongst the global Magento install base reported that Magento modules are now the main source of security breaches for Magento sites.
- In collaboration with several security-minded individuals (myself included) Willem also published, magevulndb, a repository tracking vulnerabilities in commonly used Magento modules.
- The topic of Magento module security is slated for discussion at the DevExchange at the upcoming Magento Live AU conference. The effort is being spearheaded by ExtDN
I have some strong thoughts on the matter which I haven’t been shy about sharing in the past…
So I think a requirement that @ext_dn should impose is around proper disclosure of vulnerabilities in modules.
— Max Chadwick (@maxpchadwick) November 27, 2018
Here, I want to express them in long form.
FCGI_PARAMS FastCGI record format
Published: February 4, 2019
Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s security.limit_extensions value. Using Wireshark I knew I needed to edit an FCGI_PARAMS record.
However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a FCGI_PARAMS record.
Fortunately, after going through the a FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…
Inspecting FastCGI Packets with Wireshark
Published: January 30, 2019
Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.
Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.
However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.
