October 8, 2015
We’d like to bring to your attention two potential security vulnerabilities that were recently identified.
Misconfigured Magento Sites Using Nginx
Byte.nl reported that some misconfigured Magento sites using Nginx web server software are vulnerable to attacks. The misconfiguration allows outside access to Magento cache files. The cache files have predictable names and can contain sensitive information, including Magento database passwords. This information can be used to obtain access to an installation and customer information.
To address this issue when using Nginx or any other web server software other than Apache, you should make sure your configuration file protects directories and files properly. Magento Security Best Practices includes information on configuring your server environment. You can also find an example of a configuration file for Nginx at https://gist.github.com/gwillem/cd5ae6845fa33aa0d481.
If this issue applies to you, we strongly advise you to update your server configuration file as soon as possible to protect your site from this vulnerability.
Unsecure Magmi Data Import Tool
It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your production website or limit access to it based on IP address or password.
You can also check your site for other security vulnerabilities at http://magereport.com. This is a Magento community project that is not affiliated with Magento.