Magento 1 Security Since July 2020

If you work with a Magento 1 website, you know that Adobe stopped publishing M1 security patches and software updates in June of 2020. While that has been a friction point for a large number of eCommerce store owners, other providers were ready to roll out security patches to give Magento 1 users more runway to continue to operate successfully before replatforming to a newer platform, like Magento 2. In this article, you’ll learn about what those patches look like.

Who’s impacted?

According to September 2020 data from security firm Foregenix, there are nearly 180,000 live Magento 1 sites. Foregenix had estimated well over 200,000 live M1 sites back in May of 2020. According to the data, the Magento ecosystem has retained a steady number of users overall, replacing M1 users with M2 users.

A leading team of Magento security experts, Sansec, have data sets that align in trends, but not in total installations:

Sansec Magento 1 and 2 installatoins as of October 20 2020

Whether it’s +/-100,000 or 200,000 sites, it’s a lot of users.

At JetRails, we host many Magento 1 and Magento 2 sites, and we can report similar trendlines. We’ve seen a large number of M1 users migrate to M2 in recent months. Since we specialize in single-tenant, dedicated hosting environments, we understand that our user-base is more likely to be more established and therefore have the budget capacity to replatform to Magento 2.

How has a lack of security patches from Adobe impacted these users?

So far, the largest security incident to impact M1 users since Adobe stopped supporting this platform, has been CardBleed. This hack infected thousands of sites with card skimmers over the course of a weekend and was discovered by the team at Sansec. While this was a zero-day event, it was not completely unpredictable. While many unmanaged and under-managed hosting environments were unprepared, JetRails configurations were secured against this attack, and our users were unaffected.

Top-ISPs for these 2735 hacked Magento 1 stores. Conclusion: a Cloudflare WAF or a certain premium Magento hosting company did not prevent this malware attack. https://t.co/WLzj2kvx8c pic.twitter.com/dKGPZZ55yF

— gwillem (@gwillem) September 16, 2020

What security solutions should your Magento 1 web hosting include?

Here are a few things that your web host should be assisting with, in order to keep your site safe and secure. These countermeasures include both proactive and reactive solutions to block threats and to identify unusual activity before it turns into a serious problem.

Web Application Firewall (WAF): Firewalling can block a variety of threats in real-time. Such threats are related to custom coding, themes, and extensions – not just your core Magento software. We partner with industry leaders in WAF like Cloudflare, Sucuri, and Section.io. Often WAF rules are rolled out even before the software patch is ready to ship.
Malware Scanning: It’s equally important to be on the lookout for malicious code and vulnerabilities that make it into your site. We partner with respected experts in this field like SanSec and Sucuri, leveraging some of the most comprehensive scans available on the market.
Intrusion Detection: We can also watch for unusual file or database changes. If we can identify that a bad actor is making changes they shouldn’t be able to, it can help to stop an attacker in their tracks.
Off-Server Backups: If your account is compromised, there are a variety of reasons that you’ll want backups above and beyond restoring data. One includes identifying how far back a problem goes as part of a security audit.
Least Privileged Access: We also believe in locking down security so that bad actors from unexpected locations can’t access key systems, like your Magento Admin. In some cases, we’ll even block traffic from entire countries where you don’t do business.
DNS Management & Obfuscation: By using the right DNS management and Content Delivery Network (CDN), we keep your origin servers hidden from simple lookups and attacks. This makes it much harder for hackers to attack the network chain in front of your servers.
Hosting Maintenance: Website hosting is not a “set it and forget it” operation. Server software needs to be maintained and patched, just like your Magento software.
24/7 Monitoring: All of these systems and services are only effective if they’re being monitored, managed, and optimized. At JetRails, our Network Operations Center (NOC) provides round the clock monitoring of key metrics and systems related to security, stability, and uptime.
Effective Support: When you’re facing a security issue, time is of the essence. At JetRails, we provide 24/7 support. We believe in having Magento hosting experts at the ready so that we can solve problems quickly and effectively.
Partnerships & Collaboration: Security is a team effort. By collaborating with companies like MageOne, OpenMage, Cloudflare, SanSec, Sucuri, Bolt, OneStepCheckout, and Section.io, along with a variety of the best Magento agencies and tech providers, we share key information and constantly work toward outstanding security for our clients.

What about Magento 1 Security Patches?

While a lot can be blocked with managed hosting and firewalling solutions, sites still need security patches for more holistic security and to achieve security compliance. If you’re not installing security patches, you’re not keeping your Magento site PCI compliant.

The two authorities that are releasing patches for Magento 1 are Mage-One and OpenMage.

Mage-One

Mage-One charges a subscription fee to access the patches that they produce. As of the authoring of this article, they have already released over a dozen patches:

MO-12: Released July 30th, 2020

Forces login forms to disable autocompletion.

MO-14: Released August 5th, 2020

Prevents parallel logins from the same user account by only allowing a single session at any given time. This applies to both frontend and backend (admin) users.

MO-15: Released August 8th, 2020

Adds a new config option to only transmit cookies via HTTPS.

MO-16: Released August 28th, 2020

Provides compatibility with PHP 7.3.

MO-17: Released August 28th, 2020

Improves the clearing of session data with parallel logins.

MO-18: Released October 1st, 2020

Addresses an observable timing discrepancy vulnerability in Magento’s hash compare functionality.

MO-19: Released October 1st, 2020

Takes away the possibility of removing system attributes via SOAP API.

MO-20: Released October 1st, 2020

Without this patch, an administrator with permission to access System > Permissions > Variables was able to add config paths for encrypted config fields to the allow list. This made it possible to view the decrypted value of private information.

MO-21: Released October 29th, 2020

This improves the compatibility of 3rd party integrations by flagging cookies as SameSite=None. This SameSite Cookies issue is impacting all sorts of sites, and is not a Magento-specific vulnerability)

MO-22: Released October 29th, 2020

For users that don’t use a great host like JetRails that already addresses this, this patch will prevent access to your /downloader folder.

MO-23: Released October 29th, 2020

Replaces the news feed URL in the Magento admin so that it receives patch notifications from Mage-One, since there are none coming from Adobe.

MO-24: Released October 29th, 2020

This is an improvement for MO-18, and avoids incorrect form keys from creating error log entries.

MO-25: Released October 29th, 2020

Blocks admin users that have permission to update product data from being able to store an executable file on the server and load it via the layout xml file.

*Update* – Here are some patches that released after this article was initially published:

MO-26: Released December 9th, 2020

This patch improves the handling of cookies that are created by Mage.Cookies.

MO-27: Released December 9th, 2020

Stops administrators with permission to import/export data AND create widgets from being able to inject executable files on the server.

MO-28: Released December 9th, 2020

Stops administrators with permission to create products from being able to inject executable files on the server via wishlist functionality.

MO-29: Released December 9th, 2020

Stops administrators with permission to import/export data AND edit CMS pages from being able to inject executable files on the server via layout xml.

MO-30: Released December 9th, 2020

Improves the MO-20 patch to stop administrators with permission to access System > Permissions > Variables from being able to add config paths for encrypted config fields to the allow list.

MO-31: Released December 9th, 2020

This is an improvement on the MO-21 patch, improving the compatibility of 3rd party integrations by flagging cookies as SameSite=None. You can now configure the behavior of SameSite via a new config option in System > Config > Web > Session Cookie Management > SameSite.

MO-32: Released December 9th, 2020

This is a fix for the MO-23 patch. FeedURL had a double protocol handler.

MO-33: Released January 21st, 2021

This is a fix for the MO-31 patch. It addresses an issue wherein the cookie flag wasn’t boolean in JavaScript.

MO-34: Released January 21st, 2021

This is an improvement for the MO-31 patch. It adds SameSite settings to PHP-based session cookies.

MO-35: Released March 31st, 2021

This addresses a core bug that’s present when using prepare data for redirecting.

MO-36: Released March 31st, 2021

This is a fix for a security vulnerability in Zend Framework’s Stream HTTP Wrapper.

MO-37: Released March 31st, 2021

This patch makes Magento 1 compatible with PHP 7.4 and PHP 8. Be sure to discuss PHP upgrades with your JetRails account manager!

MO-38: Released March 31st, 2021

To prevent XSS attacks, this patch changes the content-type in JSON responses from text/HTML to application/JSON.

MO-39: Released March 31st, 2021

Magento 1’s wishlist sharing feature has been known to be abused by spammers. This patch adds an admin feature to disable wishlist sharing.

MO-40: Released March 31st, 2021

This patch fixes a vulnerability in the MySQL adapter to prevent SQL injection attacks.

MO-41: Released May 26th, 2021

This patch updates Zend_Http_Response to support HTTP/2.

MO-42: Released May 26th, 2021

This patch adds improved security to unserialize() calls to avoid unexpected object creation.

MO-43: Released May 26th, 2021

This patch fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.

MO-44: Released May 26th, 2021

This patch addresses missing sanitation in data flows that made it was possible for admin users to upload arbitrary executable files to the server.

MO-45: Released May 26th, 2021

This patch is because Layout XML had enabled admin users to execute arbitrary commands via block methods.

MO-46: Released May 26th, 2021

This patch fixed a vulnerability in Magento’s package manager which led to an RCE via race conditions.

MO-47: Released May 26th, 2021

This patch updates TLDs so that Zend_Validator can validate emails.

MO-48: Released May 26th, 2021

This patch adds array_key_first() and array_key_last() with a polyfill.

How is Mage-One finding these security vulnerabilities?

Mage-One is partnered with Magento security experts and stakeholders, from JetRails to Sansec, to OneStepCheckout and Amasty. Overall, they’re up to over 40 partner organizations in the Magento community.

They also have an active bug bounty program, which pays ethical hackers that find vulnerabilities and disclose them to Mage-One.

MageOne Bug Bounty Program

According to the Mage-One team, they have already written patches and paid bounties as a result of this program. This is competitive with what Adobe is offering through their own bug bounty program for Magento 2:

Magento 2 Adobe Bug Bounty Program HackerOne

OpenMage

OpenMage is a free open-source fork of Magento 1. They too have been busy since Adobe ended their support of Magento 1. While Mage-One is focused on security-related solutions, OpenMage is addressing a wider range of updates for M1 users. They’ve had multiple releases since Magento 1 reached end of life on June 30th, 2020. These releases include general fixes and updates, as well as some security improvements.

OpenMage version releases since June 2020

OpenMage is fast approaching 30 partner organizations. These include a wide range of partners, from payment processors like Heartland, to extension developers like OneStepCheckout, security firms like Sansec, and hosts like JetRails.

They have been working on their own bug bounty program too:

We made it to over 100 hackers and already have a few reports. Thank you to everyone in the community that is participating! https://t.co/k4CCyWWZdm

— 🍕Mark William Lewis (@mrloo) September 30, 2020

OpenMage is also making Magento 1 extensions available via GitHub now that the Magento Marketplace no longer offers these extensions.

Which Magento Agencies are continuing to support Magento 1?

Whether for M1 or M2, and regardless of where you source your patches, a Magento site requires a merchant to have a great web host and great web developers. Some agencies have been moving away from Magento 1 to more exclusively focus on Magento 2. However, as the data at the beginning of this article highlighted, there are still more M1 than M2 sites out there, so while many dev teams may have considered working exclusively with M2, for practical reasons, few have gone this route.

Anyone that has tried to find the right agency before will undoubtedly agree that agencies are not one-size-fits-all and that just because some agencies will take on a project, doesn’t make them experts in that arena. That’s why we’ve launched our Magento Agency Matchmaker program – helping merchants to find agencies that our team has had positive experiences working with.

With the right software, Magento host, and developers, you’ll be able to keep your Magento 1 site safe, fast, reliable, and scalable.