Magento is a Content Management System dedicated to the e-commerce website. Created in 2008 by the American company Varien, Magento is developed with an open source way. Very popular among e-merchants for the wealth of native features it offers, Magento has become the world market leader. With a simple and intuitive ergonomics, Magento does not require any special technical knowledge to be used. The strength of this solution is its ability to progress over time. In fact, it will allow you to move from a simple and basic online store, to more ambitious and complex projects, simply by making it evolve over the years and without having to change your tools.
Like its competitors, it is possible to develop plugins without necessarily being a professional developer. These plugins are available on the Magento's "market place". Themes are also available to download if you want to change the look of your interface.
With more than 800,000 developers, Magento is the CMS which has the largest and most active community. Regularly plugins and extensions are developed, allowing to implement, easily and at low cost, new features on your website. Extensions are developed by the community but are not always verified by professionals. They may contain vulnerabilities which could compromise the availability of your site and the integrity of your data.
In April 2017, web experts discovered a vulnerability to download and execute a malicious code on a server hosting an e-commerce store. With Magento, it is possible to add videos and images as thumbnails in the product list. It is within the feature which allows to recover the images and videos that is the vulnerability. The experts found that by pointing the image source to another file type (PHP for example), the latter is downloaded in order to be validated. If the tool finds that the file is not an image, an error will be returned but the file will not be deleted. The uploaded file on the server can now serve as a backdoor. A hacker could use it to navigate on the server, access configuration files, and retrieve database connection credentials of the site. The consequences could be disastrous as all customer informations would be compromised and bank details could be sold on the darknet, for example.
HTTPCS experts developed a plugin to identify and validate website. Once validated, it can be analyzed by our vulnerabilities detection technology. Aware of the impact caused by the vulnerabilities present in the CMS, our tool will enable you to ensure the security of your website despite the multiple updates of themes, plugins and the software itself. Do not wait to be victim of an attack to protect your website. Take a proactive approach using HTTPCS technology.
Our "HTTPCS Validation" plugin is available for free on the CMS "market place". Once installed you will have to fill in some informations about your contact details. The plugin will make a unique file on your server which will allow the HTTPCS service to validate your website. This identification file is essential to our technology. Without it, you will not be able to launch the vulnerability scanner.