Potential Security Vulnerability- Remote Code execution

[senthilengg]

Any idea @magento-team

[andimov]

@senthilengg
Thank you for reporting!
To allow us to research the issue, please, provide format this issue according to the Issue reporting guidelines

[hostep]

Shouldn't security vulnerabilities be reported to [email protected] instead of out in the open? Or am I mistaken? @piotrekkaminski?

[commcad]

+1

Certainly has my vote for this to be removed asap. Surely wouldn't want Mr Cracka's gang to see this that's for sure.

Sec rep to [email protected] with IMPORTANCE set to !

[commcad]

@senthilengg

Importance of having/forcing Magento 2.1 onto HTTPS is paramount. That would have cancelled customers risks by alerting SSL issues but would not have prevented the exploit itself. For now anyway.

[andimov]

@senthilengg
We've created internal ticket MAGETWO-56581 to investigate it.
Please, remove details from the description.

[commcad]

And replace with this:

$MAGE_ROOT = /pub (!!!)(for nginx, ps: apache is dead man)

$ php bin/magento deploy:mode:set production
$ sudo chown -R $USER:www-data .
$ find . -type d -exec chmod 770 {} ; && find . -type f -exec chmod 660 {} ;
$ find var vendor pub/static app/etc var/generation var/di var/view_preprocessed -type f -exec chmod u-w {} ;
$ find var vendor pub/static app/etc var/generation var/di var/view_preprocessed -type d -exec chmod u-w {} ;
$ chmod o-rwx app/etc/env.php
$ chmod u+x bin/magento

[senthilengg]

@andimov I have removed the description as you requested. Let me know the update ASAP.

Any suggestions other than SSL ?

[commcad]

@senthilengg Yes; NGINX + REDIS running on unix socket set with 700 perms + cache db credentials (strong U/P)

In reality, if you'd ask me; I'd say the only way is to get off the Internet e.g. pull the plug.

Literally mate :/

[commcad]

Oh, one other thing (normally this deter the worst of the worsts!):

::Hide Server Signature of Nginx & PHP::

$ curl -I https://www.mydomain.com
^ see if the server signatures are listed publicly!

$ sudo nano /etc/nginx/nginx.conf
uncomment server_tokens off;
$ sudo service nginx restart

$ sudo nano /etc/php/7.0/cli/php.ini
Set expose_php = Off
$ sudo service php7.0-fpm restart

Hide NGINX server details
sudo apt-get install nginx-extras
$ sudo nano /etc/nginx/nginx.conf
add line: more_set_headers 'Server: whatever-wwwsrv-name-here';
$ sudo service nginx restart

$ sudo reboot
Test!
$ curl -I https://www.mydomain.com

[piotrekkaminski]

@senthilengg I would appreciate if you could reach out to me directly peter (at) magento.com with more details - version, anything in the logs etc.

[magenx]

@senthilengg how did you find it?

[senthilengg]

@magenxI have removed the details intentionally coz it should be maintained confidential as per magento guys request. So probably you have to wait until we get a patch.

[magenx]

im asking how did you find it, you search in the files for something specific or it was an error in the browser console, etc...

[senthilengg]

Going to be an year now with no update. @magento-team

[okorshenko]

The issue has been investigated. Closing as non-issue.