Blog
Thinking About the Next Shoplift
Published: December 14, 2018
On February 19, 2015 Magento dropped patch SUPEE-5344. The patch addressed APPSEC-921, a CVSSv3 Severity 9.1 Remote Code Execution vulnerability which later became known as “Shoplift”. The patch was dubbed “Shoplift” in response to a video published by Check Point that showed how it could be used to zero out the price of products on a site and purchase them for free (in other words, steal them).
While this is a novel idea, the reality is that most attackers exploited the vulnerability to implant malware in the victim’s environment, silently stealing their user’s credit card information and sending it to a drop server under their control. They’d also upload backdoors to the victims server…hidden (to the amateur eye) entry points that they could use to re-enter and re-compromise the victim’s site again in the future.
Magento + MySQL Query Cache: Case Study #2
Published: November 27, 2018
Back in April of 2018 I published a case study demonstrating the (positive) impact the MySQL query cache generally has on application performance and scalability for Magento. A recent issue at work has further highlighted this. I posted a quick update about it on Twitter:
Biggest Black Friday / Cyber Monday issue so far caused by Amasty module preventing query cache from being used efficiently. I've said it before but very opposed to query cache deprecation in MySQL 8.0
— Max Chadwick (@maxpchadwick) November 26, 2018
Here I’ll share full details on the incident…
Invalidating all Admin Passwords in Magento
Published: November 19, 2018
If you’re dealing with a Magento site that has experienced a breach, it’s a good idea to reset all admin user passwords.
The easiest way to do this is to run a direct SQL query to update the password column in the admin_user table to gibberish.
UPDATE admin_user SET password = '--------';
No string will hash to this value, so essentially all the accounts will be locked at this point.
Moving a process running under strace to a screen session
Published: November 10, 2018
Today I was in a scenario where I started running a process under strace with the hopes of capturing diagnostic information about an error. However, instead of hitting the error, the process began to run succesfully.
It would likely take at least an hour to complete, and I was nervous that I’d lose my SSH connection, causing the process to wind up failing. I was also nervous that if I stopped the process to restart in a screen session, it wouldn’t be safe to re-run as it would have partially imported some data at that point.
Here, I’ll walk through my findings about moving a process running under strace to a screen session.
cURL error 77 with PHP-FPM after yum update
Published: November 5, 2018
Recently a client reported that checkout was broken on their ecommerce website.
After some quick investigation, I found that the application code responsible for speaking with the payment gateway was logging the following error:
CURL Connection error: (77)
Here, I’ll outline my approach to solving this problem.
Backing up Sublime Text Configuration Files without Shooting Yourself in the Foot
Published: October 29, 2018
As a developer, it’s common practice to backup your system settings to a remote git repository. Conventionally, these repositories are given the name “dotfiles”.
I’ve long had such a repository containing a ~/.zshrc file. Recently, however, I decided to backup settings for a few additional tools, including Sublime Text.