PCI DSS Compliant Payment Gateways Available Through Magento Connect

Having a PCI DSS compliant payment gateway is essential for most businesses, especially for enterprise solutions. Even some of the better known gateways are not PCI compliant, the most notable example in the UK is RBS WorldPay, who were recently dropped from Visa’s list of compliant payment providers.

What follows is a list of gateways that use a PCI compliant service provider based upon the VISA list and gateways available through Magento Connect. I do not endorse or guarantee the functionality of any of these modules, although I have had positive experiences with the SagePay integration.

• SagePay, formerly Protx
• ChronoPay
• CyberSource
• FastTransact
• PaySimple
• ACH Payment (Commercial: $175)
• Amazon FPS (Commercial: $275)
• BeanStream (2 Available, Commercial: $175 and $299)
• eProcessing Network (Commercial: $175)
• FirstData, formerly LinkPoint (Commercial: $175)
• Optimal Payments (Commercial: $75)
• PayJunction (Commercial: $175)
• PSIGate (Commercial: $175)
• Plug & Pay (Commercial: $175)
• TransFirst (Commercial: $125)
• TrustCommerce (Commercial: $175)
• USA ePay (Commercial: $175)
• YourPay.com (Commercial: $175)

If I’ve missed anything, please let me know, will try and keep this list updated!

Installing Google Analytics On Your Magento Stores

Installing Google Analytics is simple, just extract your unique identifier from Google Analytics. The unique identifier for each site can be found next to the URL, like so:

http://www.example.com/   UA-1234567-1

Then go to your admin panel URL and navigate to System -> Configuration -> Google API -> Google Analytics

Or add: /system_config/edit/section/google/ to your admin panel URL.

Remember, you can add different unique tracking identifiers to different stores and store views by selecting the relevant store or view from the dropdown on the left hand side of the configuration panel.

Fix Cron.php So That Product Catalog Prices Stick!

Even after setting up a cron job (Magento Wiki Article: Setting up a Cron Job) to keep special catalog prices up-to-date, many users (including myself) are still finding that prices do not ’stick’. To solve this issue, edit Cron.php (in the root installation directory) so that the lower half is as follows:

1
2
3
4
5
6

try {
Mage::getConfig()->init()->loadEventObservers(’crontab’);
Mage::app()->addEventArea(’crontab’);
Mage::dispatchEvent(’default’);
$ob = Mage::getModel(’catalogrule/observer’);
$ob->dailyCatalogUpdate("0 1 * * *");

And you should be sorted!

Optimising Magento for Speed…

Magento is probably the most powerful ecommerce software out there, however this comes at a cost, it is very power-hungry and Magento pages are rather large, often once customisation and images are added, pages can top 500Kb! Before you rush off and upgrade to a dedicated box, there are a lot of things you can do to speed up your installation.

The first is to host your site with a host that uses eAccelerator, this basically adds a layer of caching that enables the site to call off compiled files from the file system, significantly reducing overheads. Secondly, ensure that you have compression of JavaScript, HTML and CSS files enabled. By default Magento concatenates all your JavaScript files and if gzip is enabled the file will be compressed automatically. After some experimenting yesterday evening I found that the concatenation of the files saves about 7/8Kb compared to sending the cached files individually, so this would appear to be the most efficient methodology.

A warning to users of the Web Developer toolbar for Firefox, this compression is not picked up by the add-on if you use the Information > Document Size utility. However, Firebug does pick up the compression.

.htaccess file coming soon…

Magento CSRF Vulnerability

Yesterday, Varien publicly acknowledged the existence of a serious vulnerability in Magento, the original blog post details the methodology for this exploit.

Varien, have suggested merely changing the URL for the admin panel, however, as others have noted this solution is merely “security through obscurity” and not a real solution. For the moment though, it is better than nothing.

Further to this there is an unofficial patch on a French Magento forum (summarised below) for the XSS vulnerabilities relating to the admin panel.

This outlines 3 key XSS vulnerabilities:

1. Login page vulnerability. Enter: "username": "> <script> alert (123) </script> into the username box and any password to demonstrate this
2. Vulnerability on forgot password page. Enter: "> <script> alert (123) </script> on the forgot username/password page
3. The most dangerous of the three XSS vulnerabilities found to date, navigate here in your Magento store: yourmagentosite.com/download/?return=%22%3Cscript%3Ealert (123)%3C/script%3E

The returning of 123 may seem innocuous however, it is this ability to replace ‘123′ with server side calls that poses a threat to the security of your Magento store. Particularly the third example, what follows is a hypothetical example put forward on a French blog and translated here:

For example, a simple fakemail (identity theft) will allow the attacker to send a link bomb, containing harmful and adapted Javascript, which will control the next action to be performed. The idea is simple, the mail has a link back to normal, the link actually contains XSS and therefore listening Javascript keyboard (for example) and then you logged … Lost.

Write fakemail is paragraph 1 of Chapter 1 of the handbook of the pirate. You can even do it by changing your name in outlook, it is declarative … I can send you a mail from neil.amstrong @ lune.org in 10 seconds. So if a hacker pretends to be the boss of the box and request by email to the person in charge of the back to connect (link in the mail) and to monitor sales, you think it will do what the person question?

It is a very simple attack to carry out very dangerous and there, the script kiddie can take control of your backoffice.

Translation from Wikigento Post [FR].

First and foremost, move your admin panel by editing:

1
2
3
4
5
6
7
8
9

<admin>
        <routers>
            <adminhtml>
                <args>
                    <frontName><![CDATA[somethingelse]]></frontName>
                </args>
            </adminhtml>
        </routers>
     </admin>

If you cannot find this XML tree in your local.xml (as I could not for one of my clients) nest the above inside the <config> tags (the same level as <global>.

Delete your cache, easiest way is it open up var/cache/ and delete all the contents of the folder. Then use the new login URL and you should be done! This will protect you from the main CSRF vulnerability uncovered by Artisan System mentioned above.

To protect against the 3 XSS vulnerabilities above make the following changes:

downloader\Mage\Model\Session.php
Line 58

1
2
3

if (!empty($_GET['return'])) {
$this->set('return_url', htmlentities($_GET['return']));
}

app\design\adminhtml\default\_your_theme_name\template\login.phtml
Line 54

1

value="<?php echo htmlentities($username) ?>"

app\design\adminhtml\default\_your_theme_name\template\forgotpassword.phtml
Line 57

1

value="<?php echo htmlentities($email) ?>"

And you’re done! Another Magento disaster temporarily averted!

For the moment, any worried Magento administrators who would like this temporary solution applied to their store, are welcome to get in contact.

Using Magento as a Checkout, Payment and Admin System

So, you want to use the Checkout, Payment and Admin facilities but not the catalog? Well here’s a quick and painless solution.

If you have a set list of products then build the product list in the Magento back office, a previous post covers creating Magento products dynamically.

Once you have the products, all that is required is to add the products to the cart. The simplest way to do this is to feed two variables into the cart, SKU and Quantity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

include_once '../app/Mage.php';
Mage::app();
 
Mage::getSingleton('core/session', array('name' => 'frontend'));
 
$sku = $_POST['sku'];
if (!isset($_POST['qty']) || (!is_int($_POST['qty']))) 
    { 
        $qty = 1; 
    } 
    else 
    {
        $qty = $_POST['qty']; 
    }
 
$productid = Mage::getModel('catalog/product')->getIdBySku($sku);
 
header("Location: /checkout/cart/add/product/".$productid."/qty/".$qty."/");

Your customer has then bypassed a Magento catalog but still checkouts using the Magento system and the admin can still make use of the excellent backoffice system.

Any comments or queries welcome.