The Magmi Security Issue
Recently a “major” magmi security issue warning was reported in the news, i want to give my opinion on it.
Magmi is an “integrator” tool
I first want to remind everyone that magmi is an integrator tool, mostly made for people to ingest or synchronize data
Magmi UI is a helper more than a feature, the recommended magmi interface will always be the cli
Magmi is aimed at automating data , since it has many plugins to configure and can handle many import profiles, i conceived an UI that enable easy setup & enable test runs.
The UI itself is totally optional once the import profiles have been setup, it can be removed or disabled
The cli interface enable automation , is much more suited to handle big imports since not constrained by PHP web execution model limitations (max_execution_time)
Magmi Wiki is the root of all knowledge , RTFM !!!!
Magmi has a wiki (http://wiki.magmi.org) that has a specific entry on how to secure magmi installation for years !!!!.
All people that had concern about security would find an easy way to secure their install there
The Upload Facility in UI
Once again, the UI being a helper, i added the ability to upgrade magmi directly from UI using upload controls. Once again, these feature was added for convenience of usage.
2.Is it magmi’s fault ?
My answer is clear : NO
One of the first chapters of magmi wiki that was here from the beginning is a disclaimer , it is clear.
Once again, magmi wiki documented since the very beginning how to secure magmi UI access.
3.What should i have done better
What i didn’t anticipate at all is the huge success of magmi.
- It became a defacto magento standard and a real enabler for use cases that were not possible before (like handling millions of products), that’s the good part of the success.
- This came with a downside : the audience of the tool grew far beyond the initial attended audience : integrators & developers and began to reach shop owners with no real programming skills nor web security culture
- I should have included a more “closed” deployment model, ie : make magmi unusable after deployment , forcing users to setup at least credentials or find a way to reuse existing (see here for more details about this, i just need to make this patch “magento code free” & compatible with out of magento dir installs too)
4.What i’ve learnt from this episode
I should have taken security concerns on my behalf rather than trusting the user to be smart enough to read the docs & know about the risks.
So i must have assumed the following statement: Never trust the user, he does not know what he’s doing. Which was false in the early days of magmi (which at this time didn’t even have an UI) , and is still false for most of the users which are responsible persons knowning what it means to deploy such a powerful tool as magmi.
The current version of magmi has upload features disabled , which prevents uploading malicious code, but not to execute some that may have already been uploaded , the following paragraph gives some hints about how to perform a cleanup.
5.How to cleanup most compromised servers:
1.ensure there is no other files than *.conf or *.ini in magmi/conf subdirectories , remove all files that do not match this rule in magmi/conf directory tree
2.backup magmi/conf (by copying it anywhere you want)
3. remove magmi directory (it will disinstall magmi from your system , removing all files that have been dropped there by malicious hackers)
4. download latest magmi archive (available here)
5. unzip magmi archive where you want (and yes, it could now be under magento root path, however, you might also want to download it elsewhere)
6. restore your backup of magmi/conf directory, so you’ll find back all your previous configurations & settings.
What it does not cover
If the malicious code was really smart, it could have moved their injected “backdoor” out of magmi directory but not outside your web server root directory (otherwise it would loose access).
So , have a look at any suspicious file that should not be there.
The following article shows how to limit access to magmi from a single machine & test vulnerability.
A big thanks to all reporting the issue, for setting up a debate, for criticizing magmi , it makes magmi (and myself) evolve !!!