Blog
Limiting Access To Specific Tables in MySQL - Cheatsheat
Published: September 6, 2018
One of the core principles in the infosec field is the principle of least privilege. The idea is to limit permitted access by systems or processes as much as humanly possible. Applied to MySQL, in some circumstances this could mean only allowing access to specific tables for some user. This is a quick cheatsheet for working with table-level access in MySQL.
Magento's Problematic (lack of) Release Line Strategy
Published: July 12, 2018
Magento currently maintains and accepts pull requests to 3 separate branches on GitHub.
2.1-develop- Code targeting this branch will go into a 2.1.X release2.2-develop- Code targeting this branch will go into a 2.2.X release2.3-develop- Code targeting this branch will go into a 2.3.X release
While the notion of allowing the community to contribute to each release line sounds good on paper, in practice it doesn’t work out so well in my experience.
In this post I’ll outline the issues with this process as I see them.
Magento's Not Sane AdminNotification Module
Published: July 5, 2018
For my past 4 and a half years working with Magento, I’ve gotten very used to seeing messages like this when I log into the Magento admin panel.
I typically close them out and proceed about my business. I had never quite understood how these notifications work until recently. Here I’ll document the not quite sane mechanics behind Magento’s admin notification system.
Export Magento Attribute Options to CSV with the Table Capture Chrome Extension
Published: June 20, 2018
Recently, I received the following request from a client…
How can I get an export of all the options for a given attribute in Magento?
There are several attributes I need to do this for…
Looking at the Magento admin panel, it quickly became evident that there was no self-serve way for the client to export the data.
Here I’ll document my approach, which ultimately led me to the Table Capture Chrome extension.
The Case of the Vanishing uRapidFlow License Key
Published: June 14, 2018
Recently, I received an email from a client that read something like this…
Subject: URGENT: Feeds not running
Feeds did not run this morning. Pricing is wrong on the website.
HELP!!!!
The website was using a uRapidFlow profile that was run on a cron to regularly import product pricing. Navigating to the profile in the Magento admin panel I got the following error…
Error message: Module record not found: Unirgy_RapidFlow
Here, I’ll document my findings…
Luhn Validation From the Command Line
Published: June 12, 2018
Today I received an alert that a credit card scanning tool had detected data that looked like a credit card number (PAN) on the file system of a client’s server.
Reviewing the details I found that the tool was reporting it had found what appeared to be a credit card number in an image file on the server. This gave me quite the scare as I knew that there’s a common strain of malware for Magento (the platform this site was running) which steals credit card numbers and stores them in images files to be harvested by the attacker.
The tool was reporting the credit card number started with “304428”. I was able to find the match in the reported file using exiftool…
$ exiftool -m 00080878182947_2.jpg | grep -o '.\{20\}304428.\{20\}'
8cca4b4231, xmp.did:304428740720681188C6DBD8EA
xmp.did:? I wasn’t sure what this was, but from some quick research I learned that it was metadata added for Adobe’s Extensible Metadata Platform (“XMP”).
As a quick check I did want to see if the number passed Luhn validation. I didn’t want to copy / paste the data into an online tool for obvious reasons, so I decided to do some further research on how to run Luhn validation from the command line. Here I’ll document my findings.