Magento Version 1.3.2.4 Security Update - XSS Vulnerability Fix

Magento Version 1.3.2.4 has been released in response to a major security issue that has been identified in all prior versions of Magento. The issue affects the customer account registration page, if you’re reluctant to upgrade, or if you’ve written to core files (shame on you), there are a couple of solutions:

Edit file (app/code/core/Mage/Customer/Model/Customer.php) as below:

674
675
676

if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) {
            $errors[] = Mage::helper('customer')->__('Invalid email address "%s"', htmlentities($this->getEmail()));
}

Alternatively if you don’t want to edit core files, add the following to your .htaccess file:

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|
|
).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop$).* [NC]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC]
RewriteRule ^(.*)$ badrequest.php

Change badrequest.php to the URL of your choice.

Panic over!

Source: http://www.magentocommerce.com/boards/viewthread/51795/P0/

The Future Of Magento Connect

As I mentioned in my previous post, several announcements were made during Mage::Camp about up and coming changes to Magento Connect; most noteworthy (from a developer’s standpoint) is the development of commercial licensing, encoding and payment handling.

Upon the release of Magento Connect 2.0 developers uploading their Magento extensions will benefit from the option of added security of optional encryption of source code. Due to the popularity and as yet impenetrable encryption, IonCube is almost certain to be the encoder of choice for commercial Magento Connect extensions. This new version will also include integrated licensing management and payment services, all of which will attract a small charge.

However, I feel the most significant development with Magento Connect 2.0, particularly from a community point of view, is the proposed new Quality Assurance (QA) system that will allow developers to have their extensions assessed and verified by a developer at Varien. This will provide users will a vital tool - helping them to distinguish the ‘gold’ from the ‘chaff’ and hopefully giving end users additional reassurance when purchasing commercial extensions.

Highlights From Mage::Camp

Big thanks to OnTap and Varien for a great show at Mage::Camp, just wanted to give readers an insight regarding some of the key things that were discussed with regards to the development of Magento in the coming year.

Magento API

A key area of interest for developers is that Roy Rubin made clear Varien’s commitment to expanding the scope of the Mage API to encompass all the functionality available through Magento Admin (no timeframe on that I’m afraid).

Magento Enterprise Edition

A number of questions were asked in relation to Magento Enterprise pricing. The main thing that I took away was basically a warning for EU developers - the pricing for us is a straight swap of the currency rather than based on the dollar price the current conversion rate, so that’s a starting at €8,900 per annum price.

However, there was some good news for customers hoping to use multiple servers for redundancy and load balancing, the ‘per instance’ licensing fee was “negotiable”. Meaning you’ll probably only have to pay for one license.

Magento Connect

Magento Connect 2.0 is coming, a major overhaul is already in the pipeline and many of the features, I believe, will only lead to a huge surge in commercial extensions and greater levels of trust between developers and end users. More on the proposed changes in a future post.

PCI DSS Compliant Payment Gateways Available Through Magento Connect

Having a PCI DSS compliant payment gateway is essential for most businesses, especially for enterprise solutions. Even some of the better known gateways are not PCI compliant, the most notable example in the UK is RBS WorldPay, who were recently dropped from Visa’s list of compliant payment providers.

What follows is a list of gateways that use a PCI compliant service provider based upon the VISA list and gateways available through Magento Connect. I do not endorse or guarantee the functionality of any of these modules, although I have had positive experiences with the SagePay integration.

• SagePay, formerly Protx
• ChronoPay
• CyberSource
• FastTransact
• PaySimple
• ACH Payment (Commercial: $175)
• Amazon FPS (Commercial: $275)
• BeanStream (2 Available, Commercial: $175 and $299)
• eProcessing Network (Commercial: $175)
• FirstData, formerly LinkPoint (Commercial: $175)
• Optimal Payments (Commercial: $75)
• PayJunction (Commercial: $175)
• PSIGate (Commercial: $175)
• Plug & Pay (Commercial: $175)
• TransFirst (Commercial: $125)
• TrustCommerce (Commercial: $175)
• USA ePay (Commercial: $175)
• YourPay.com (Commercial: $175)

If I’ve missed anything, please let me know, will try and keep this list updated!

Installing Google Analytics On Your Magento Stores

Installing Google Analytics is simple, just extract your unique identifier from Google Analytics. The unique identifier for each site can be found next to the URL, like so:

http://www.example.com/   UA-1234567-1

Then go to your admin panel URL and navigate to System -> Configuration -> Google API -> Google Analytics

Or add: /system_config/edit/section/google/ to your admin panel URL.

Remember, you can add different unique tracking identifiers to different stores and store views by selecting the relevant store or view from the dropdown on the left hand side of the configuration panel.

Varien Launch Magento Enterprise Edition

Varien yesterday launched a new enterprise version of Magento, interestingly many regular users of the forum will note that a lot of the additional functionality included in this new version is what ‘community edition’ users have been crying out for, particularly the ability to limit catalog access to certain customers (I assume on a group basis) by category or globally across stores.

I think it will be interesting to see in the coming months if any of the enterprise functionality makes it into Magento Connect, be it on an open source or commercial license. This would give community edition users the opportunity to ‘bolt on’ enterprise features.

At a cost of $8,900 a year, I think it will be interesting to see if Varien can continue to keep the Enterprise Edition significantly ahead of the Community Edition in the coming months and what other value added services they will be offering with it.

I would love to hear other people’s thoughts on the new edition.