

Magento Commerce Security Vulnerabilities - leftnode
http://artisansystem.com/blog/entry/33

======
scorxn
Thanks for posting this. I haven't seen much about Magento on HN, though it's
got a ton of potential for ecommerce startups. Unfortunately its development
has been pretty rocky so far. I added this post to their bug tracker.

I think someone could do very well offering Magento as a hosted service once
it matures. Server administration is the cause of a lot of strife, and few
online retailers are interested in that.

~~~
streety
It's surprising, and a little disappointing, that the original author had not
already submitted it.

I've not played around with Magento but my understanding is that it's based on
the Zend Framework. Zend_Form has a dedicated element for preventing CSRF
attacks: Zend_Form_Element_Hash. That said this looks more like a poor design
choice rather than a limitation of the tools/framework used.

~~~
leftnode
You're right, I should've submitted it. I did and the dev's said they'd look
into it.

------
asdfjqer
Just a word of warning, since the article doesn't make it clear: Using POST is
not an effective defense against CSRF. You need to include some sort of unique
token in the form.

(Checking the referrer certainly helps, but will cause problems for anyone who
has referrers disabled in browser privacy settings or is behind a proxy that
strips referrer headers)

------
djahng
It does seem to be a fairly obvious oversight...why would database query
commands be constructed from GET requests in the first place?

------
noelchurchill
Has anyone used Magento? Have you had good or bad experiences? What would the
best alternatives be? Thanks!

~~~
scorxn
I've been working on it daily since October. Compared to osCommerce, Zen Cart
and Volusion, Magento is slow and extremely flexible, mostly due to its EAV
architecture: <http://en.wikipedia.org/wiki/Entity-attribute-value_model>. You
can bend it to meet various business models (inventory vs drop ship, physical
vs downloadable, etc.). Its most unique strength is running multiple sites
from the same db (though again, performance becomes an issue).

Interface-wise, Magento is years ahead of the rest. Just visit a demo site.

It does run on the Zend Framework, so studying that (and OO PHP in general) is
a requisite for writing modules. The ZF brings sophisticated inheritance
logic, both in terms of object overloading and template inheritance. Thus,
extending Magento is a breeze compared to other software.

Magento's downsides stem from being young and free. The documentation is hit-
or-miss, and the forum is full of FUD from inexperienced users who are
attracted to the price tag.

The Magento team has a habit of scrambling a maintenance patch right after a
release, which probably means bad QA. If a new release comes out, it's best to
wait a couple weeks and watch for x.0.1.

Having a dedicated server with a solid control panel and shell access will be
a lifesaver. Crontab control is a must. I'm amazed how many people try to jam
this thing on GoDaddy.

