Magento Hosting Emergency? Learn About Our Magento Hosting Rescue Service! ❯

    We can help you. Right now.
    Fast growing merchants depend on JetRails for high-stakes hosting. Experience counts. Let's get started.
    Your message has been received, a representative will be contacting you shortly. if you have an emergency, please call us at 1 (888) 997-2457 or email us at [email protected]
    Call us at:1 (888) 997-2457

    Magento 1 Security Since July 2020

    If you work with a Magento 1 website, you know that Adobe stopped publishing M1 security patches and software updates in June of 2020. While that has been a friction point for a large number of eCommerce store owners, other providers were ready to roll out security patches to give Magento 1 users more runway to continue to operate successfully before replatforming to a newer platform, like Magento 2. In this article, you’ll learn about what those patches look like.

    Who’s impacted?

    According to September 2020 data from security firm Foregenix, there are nearly 180,000 live Magento 1 sites. Foregenix had estimated well over 200,000 live M1 sites back in May of 2020. According to the data, the Magento ecosystem has retained a steady number of users overall, replacing M1 users with M2 users. 

    Foregenix Magento 1 and 2 Installation Tracker September 21st 2020

    A leading team of Magento security experts, Sansec, have data sets that align in trends, but not in total installations:

    Sansec Magento 1 and 2 installatoins as of October 20 2020

    Whether it’s +/-100,000 or 200,000 sites, it’s a lot of users. 

    At JetRails, we host many Magento 1 and Magento 2 sites, and we can report similar trendlines. We’ve seen a large number of M1 users migrate to M2 in recent months. Since we specialize in single-tenant, dedicated hosting environments, we understand that our user-base is more likely to be more established and therefore have the budget capacity to replatform to Magento 2. 

    How has a lack of security patches from Adobe impacted these users?

    So far, the largest security incident to impact M1 users since Adobe stopped supporting this platform, has been CardBleed. This hack infected thousands of sites with card skimmers over the course of a weekend and was discovered by the team at Sansec. While this was a zero-day event, it was not completely unpredictable. While many unmanaged and under-managed hosting environments were unprepared, JetRails configurations were secured against this attack, and our users were unaffected.

    What security solutions should your Magento 1 web hosting include?

    Here are a few things that your web host should be assisting with, in order to keep your site safe and secure. These countermeasures include both proactive and reactive solutions to block threats and to identify unusual activity before it turns into a serious problem.

    What about Magento 1 Security Patches?

    While a lot can be blocked with managed hosting and firewalling solutions, sites still need security patches for more holistic security and to achieve security compliance. If you’re not installing security patches, you’re not keeping your Magento site PCI compliant.

    The two authorities that are releasing patches for Magento 1 are Mage-One and OpenMage. 


    Mage-One charges a subscription fee to access the patches that they produce. As of the authoring of this article, they have already released over a dozen patches:

    Forces login forms to disable autocompletion.

    Prevents parallel logins from the same user account by only allowing a single session at any given time. This applies to both frontend and backend (admin) users.

    Adds a new config option to only transmit cookies via HTTPS.

    Provides compatibility with PHP 7.3.

    Improves the clearing of session data with parallel logins.

    Addresses an observable timing discrepancy vulnerability in Magento’s hash compare functionality.

    Takes away the possibility of removing system attributes via SOAP API.

    Without this patch, an administrator with permission to access System > Permissions > Variables was able to add config paths for encrypted config fields to the allow list. This made it possible to view the decrypted value of private information.

    This improves the compatibility of 3rd party integrations by flagging cookies as SameSite=None. This SameSite Cookies issue is impacting all sorts of sites, and is not a Magento-specific vulnerability) 

    For users that don’t use a great host like JetRails that already addresses this, this patch will prevent access to your /downloader folder.

    Replaces the news feed URL in the Magento admin so that it receives patch notifications from Mage-One, since there are none coming from Adobe.

    This is an improvement for MO-18, and avoids incorrect form keys from creating error log entries.

    Blocks admin users that have permission to update product data from being able to store an executable file on the server and load it via the layout xml file.

    *Update* – Here are some patches that released after this article was initially published:

    This patch improves the handling of cookies that are created by Mage.Cookies.

    Stops administrators with permission to import/export data AND create widgets from being able to inject executable files on the server.

    Stops administrators with permission to create products from being able to inject executable files on the server via wishlist functionality.

    Stops administrators with permission to import/export data AND edit CMS pages from being able to inject executable files on the server via layout xml.

    Improves the MO-20 patch to stop administrators with permission to access System > Permissions > Variables from being able to add config paths for encrypted config fields to the allow list.

    This is an improvement on the MO-21 patch, improving the compatibility of 3rd party integrations by flagging cookies as SameSite=None. You can now configure the behavior of SameSite via a new config option in System > Config > Web > Session Cookie Management > SameSite.

    This is a fix for the MO-23 patch. FeedURL had a double protocol handler.

    This is a fix for the MO-31 patch. It addresses an issue wherein the cookie flag wasn’t boolean in JavaScript.

    This is an improvement for the MO-31 patch. It adds SameSite settings to PHP-based session cookies.

    This addresses a core bug that’s present when using prepare data for redirecting.

    This is a fix for a security vulnerability in Zend Framework’s Stream HTTP Wrapper.

    This patch makes Magento 1 compatible with PHP 7.4 and PHP 8. Be sure to discuss PHP upgrades with your JetRails account manager!

    To prevent XSS attacks, this patch changes the content-type in JSON responses from text/HTML to application/JSON.

    Magento 1’s wishlist sharing feature has been known to be abused by spammers. This patch adds an admin feature to disable wishlist sharing.

    This patch fixes a vulnerability in the MySQL adapter to prevent SQL injection attacks.

    This patch updates Zend_Http_Response to support HTTP/2.

    This patch adds improved security to unserialize() calls to avoid unexpected object creation.

    This patch fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.

    This patch addresses missing sanitation in data flows that made it was possible for admin users to upload arbitrary executable files to the server.

    This patch is because Layout XML had enabled admin users to execute arbitrary commands via block methods.

    This patch fixed a vulnerability in Magento’s package manager which led to an RCE via race conditions.

    This patch updates TLDs so that Zend_Validator can validate emails.

    This patch adds array_key_first() and array_key_last() with a polyfill.

    How is Mage-One finding these security vulnerabilities? 

    Mage-One is partnered with Magento security experts and stakeholders, from JetRails to Sansec, to OneStepCheckout and Amasty. Overall, they’re up to over 40 partner organizations in the Magento community. 

    They also have an active bug bounty program, which pays ethical hackers that find vulnerabilities and disclose them to Mage-One.

    MageOne Bug Bounty Program

    According to the Mage-One team, they have already written patches and paid bounties as a result of this program. This is competitive with what Adobe is offering through their own bug bounty program for Magento 2:

    Magento 2 Adobe Bug Bounty Program HackerOne


    OpenMage is a free open-source fork of Magento 1. They too have been busy since Adobe ended their support of Magento 1. While Mage-One is focused on security-related solutions, OpenMage is addressing a wider range of updates for M1 users. They’ve had multiple releases since Magento 1 reached end of life on June 30th, 2020. These releases include general fixes and updates, as well as some security improvements. 

    OpenMage version releases since June 2020

    OpenMage is fast approaching 30 partner organizations. These include a wide range of partners, from payment processors like Heartland, to extension developers like OneStepCheckout, security firms like Sansec, and hosts like JetRails.

    They have been working on their own bug bounty program too:

    OpenMage is also making Magento 1 extensions available via GitHub now that the Magento Marketplace no longer offers these extensions. 

    Which Magento Agencies are continuing to support Magento 1?

    Whether for M1 or M2, and regardless of where you source your patches, a Magento site requires a merchant to have a great web host and great web developers. Some agencies have been moving away from Magento 1 to more exclusively focus on Magento 2. However, as the data at the beginning of this article highlighted, there are still more M1 than M2 sites out there, so while many dev teams may have considered working exclusively with M2, for practical reasons, few have gone this route. 

    Anyone that has tried to find the right agency before will undoubtedly agree that agencies are not one-size-fits-all and that just because some agencies will take on a project, doesn’t make them experts in that arena. That’s why we’ve launched our Magento Agency Matchmaker program – helping merchants to find agencies that our team has had positive experiences working with.

    With the right software, Magento host, and developers, you’ll be able to keep your Magento 1 site safe, fast, reliable, and scalable.

    About The Author
    Robert Rand
    Director of Partnerships & Alliances

    Robert is a Magento 1 and 2 Solution Specialist with over a decade of experience in helping merchants benefit from sound ecommerce and digital marketing strategies. He’s highly experienced at harnessing the power of ecommerce technologies and solutions to help businesses of all types and sizes grow and succeed.

    Get A Free Consultation From The JetRails Team

    Need Help With Hosting Support, Security, Scalability, Speed, or Stability?

      More Articles
      Why Improved Import & Export Is Such A Popular Magento 2 Extension
      View Article
      Magento Critical Security Patches 2.4.5-p1 and 2.4.4-p2
      View Article
      Magento 2.4.5 and August 2022 Magento Ecosystem News
      View Article