Beware of Nginx and Magmi Data Import Tool

- Magento tips & tricks

Security vulnerabilities: Nginx and Magmi Data Import Tool

Two potential security vulnerabilities have been discovered recently in the Magento ecosystem.

The first one is Nginx, but don’t panic, as this problem affects only some misconfigured Magento sites. Because of the misconfiguration, hackers get access to the Magento cache system. Please note, that cache files can contain such sensitive information as Magento database passwords: with this data, malefactors can access your Magento installation and as a result customer information.

To prevent your store from attacks, make sure that your configuration file protects directories and files properly. Check the Magento Security Best Practices guide and the example of a Nginx configuration file to find out proper settings for your server environment.

As for the Magmi data import tool, some sites use it without any outside access protection. Thus, attackers can use the tool for gaining access to your Magento installation. To fix the problem, remove Magmi from your production website. Alternatively, you can limit access to it. Use IP address or password based restrictions.

Other Magento security vulnerabilities