Blog

Limiting Access To Specific Tables in MySQL - Cheetsheat

Published: September 6, 2018

Tags:

One of the core principles in the infosec field is the principle of least privilege. The idea is to limit permitted access by systems or processes as much as humanly possible. Applied to MySQL, in some circumstances this could mean only allowing access to specific tables for some user. This is a quick cheatsheet for working with table-level access in MySQL.

Magento's Problematic (lack of) Release Line Strategy

Published: July 12, 2018

Tags:

Magento currently maintains and accepts pull requests to 3 separate branches on GitHub.

  1. 2.1-develop - Code targeting this branch will go into a 2.1.X release
  2. 2.2-develop - Code targeting this branch will go into a 2.2.X release
  3. 2.3-develop - Code targeting this branch will go into a 2.3.X release

While the notion of allowing the community to contribute to each release line sounds good on paper, in practice it doesn’t work out so well in my experience.

In this post I’ll outline the issues with this process as I see them.

Magento's Not Sane AdminNotification Module

Published: July 5, 2018

Tags:

For my past 4 and a half years working with Magento, I’ve gotten very used to seeing messages like this when I log into the Magento admin panel.

Example admin notification

I typically close them out and proceed about my business. I had never quite understood how these notifications work until recently. Here I’ll document the not quite sane mechanics behind Magento’s admin notification system.

Export Magento Attribute Options to CSV with the Table Capture Chrome Extension

Published: June 20, 2018

Tags:

Recently, I received the following request from a client…

How can I get an export of all the options for a given attribute in Magento?

There are several attributes I need to do this for…

Looking at the Magento admin panel, it quickly became evident that there was no self-serve way for the client to export the data.

The attribute option edit screen in Magento 1

Here I’ll document my approach, which ultimately led me to the Table Capture Chrome extension.

The Case of the Vanishing uRapidFlow License Key

Published: June 14, 2018

Tags:

Recently, I received an email from a client that read something like this…

Subject: URGENT: Feeds not running

Feeds did not run this morning. Pricing is wrong on the website.

HELP!!!!

The website was using a uRapidFlow profile that was run on a cron to regularly import product pricing. Navigating to the profile in the Magento admin panel I got the following error…

A screenshot of the error experienced

Error message: Module record not found: Unirgy_RapidFlow

Here, I’ll document my findings…

Luhn Validation From the Command Line

Published: June 12, 2018

Tags:

Today I received an alert that a credit card scanning tool had detected data that looked like a credit card number (PAN) on the file system of a client’s server.

Reviewing the details I found that the tool was reporting it had found what appeared to be a credit card number in an image file on the server. This gave me quite the scare as I knew that there’s a common strain of malware for Magento (the platform this site was running) which steals credit card numbers and stores them in images files to be harvested by the attacker.

The tool was reporting the credit card number started with “304428”. I was able to find the match in the reported file using exiftool

$ exiftool -m 00080878182947_2.jpg | grep -o '.\{20\}304428.\{20\}'
8cca4b4231, xmp.did:304428740720681188C6DBD8EA

xmp.did:? I wasn’t sure what this was, but from some quick research I learned that it was metadata added for Adobe’s Extensible Metadata Platform (“XMP”).

As a quick check I did want to see if the number passed Luhn validation. I didn’t want to copy / paste the data into an online tool for obvious reasons, so I decided to do some further research on how to run Luhn validation from the command line. Here I’ll document my findings.