2012/11

This week saw the inaugural Click Frenzy sale generate a huge amount of interest in Australian eCommerce, and we are proud to have been the developer responsible for delivering the website for the event based on a Magento platform.

The site stood up well after a challenging start on Tuesday evening, but there was a configuration issue with the webserver environment at one point which left a number of private application files exposed for some time. During this period the Magento directory was inadvertently left with directory listings on and without private directories and their contents protected from access. These private files being accessible did not result in a security breach of any kind, and there was never any sensitive personal data stored on any of the website's servers, but the cause of the disclosure does highlight a risk of Magento’s design. Currently, the entire application is designed to be located in the webserver’s document root (docroot). To address this risk and eliminate the possibility of a misconfiguration having this effect, the Magento application needs to be restructured to make it possible to relocate most parts outside of the docroot. This is an approach we’ll be adopting in future and which we document in this post. We also include an accompanying patch that we are releasing to the Magento community.

We have just released an important update to the Fontis Westpac extension, which should be installed by all merchants using the PayWay service. The update includes a new Verisign certificate for the PayWay gateway which will be required in order to continue connecting to the gateway. Merchants who will be affected by this update should have already been contacted by Westpac.

In addition, we have added another small but often requested feature, and added in a credit card type selection box to the PayWay and QuickGateway settings pages in the Magento configuration. Merchants will now be able to easily configure whether they want to accept American Express, Discover and others.