By In Magento

Magento 1 java script malware injection via CMS block

Hello, as Magento 1.x closes to it’s end of life (at least officially) everyone should consider moving to Magento 2.x platform. With every new release Magento gets better and new features are available, also upgrade process is quite simplified and now works really great.

Anyway there are lot of stores that still use Magento 1.x and will not move to 2.x for few more months. Those stores also require maintenance and security check, otherwise they can easily be corrupted by various malware codes and expose important data (like customers addresses or even credit card numbers). Be sure that you update Magento on regular base and apply security patches as soon as they are published.

We noticed recently that malware code can be easily injected into CMS block content, that way it will be loaded on every page that has CMS block included in any part of page. In simple words if you have a CMS block in footer code will be loaded on every page on site, including cart, checkout and success pages.

Simple way to check your site would be to login into Magento back end and open one CMS block to edit, turn off wysiwyg editor to see code and check for any code that include java script.
Code might look like this:
< script src=’https://javascript.host/ >< / script >

In general if you see any code that include scripts that are hosted on domain that is not familiar to you there is reason to suspect that is some kind of malware.
If you have access to PhpMyAdmin you can do search through base and check is there similar code in CMS pages or any other table.
Also if you have MageFence module it will search for those strings when you start security check procedure.

We will name few most common strings that you should check:

  • kinfirighbetted.host
  • atob.host
  • bad.guy
  • siteverification.online
  • jquery-ajax.host

Read more

By In Magento

Fixing currency rates in Magento 1.x

While Magento 1.x is slowly fading into history, still there are lot of stores that still use it and therefore need to be maintained on regular bases.

If you have multi currency store, than you are familiar with built-in service Webservicex, which was responsible to update currency rates. Webservicex service stopped working a year ago and to make things even worst it will return 1 for all currency rates. That can cause lot of issues, for example it will allow customers to order items with price of base currency but without conversion.

As alternative many stores switched to ‘Payserv GoogleFinance’ module, which use Google Finance API to retrieve currency rates. Module was free to use and can be found on GitHub (thanks Magento for removing old marketplace – thumb down):

https://github.com/ausger/GoogleCurrency

Recently I noticed that a notice in Magento admin:

WARNING: Cannot retrieve rate from http://www.google.com/finance/converter?a=1&from={{CURRENCY_FROM}}&to={{CURRENCY_TO}}

Message came from ‘Payserv GoogleFinance’ module and was outputted when module tries to update currency rates. This happen because Google Finance changed URL for API service that should return rates. To make module functional small modification is needed and we will make it in Model file:

app/code/local/Payserv/GoogleFinance/Model/Google.php

at line #32 we will replace existing code with this one:

protected $_url = ‘https://finance.google.com/finance/converter?a=1&from={{CURRENCY_FROM}}&to={{CURRENCY_TO}}’;

As you may notice, comparing URL from notice and new URL that we set everything is same except domain name so now it is: https://finance.google.com/finance/

After you made change in file and upload it back, please try to import rates to be sure that module works now properly. As additional check you may open a Google Finance in browser and compare rates, for example USD to EUR: https://finance.google.com/finance/converter?a=1&from=USD&to=EUR

If you have issues to make this small change you can contact me and I can send you version of module with fix applied:
http://magehelperblog.com/contact-me/

 

Read more

By In Magento 2

White page issue – Magento 2

Another very common issue in Magento 2 are white pages in back end, error that I resolved was related to Credit Memo functionality but similar method can be applied to similar issues as well.

To describe issue a bit more, I went to Sales > Order Management > Orders and selected order that should be refunded. Issue was found on several orders and they were made using Authorize.net or PayPal payment), so I excluded possibility that custom payment method could cause issue.

In order screen I clicked Credit Memo button and landed on white page without any error message or notification. Since there were no errors in browser console (wanted to check for java script errors), I checked var/log/systemlog file and found error log:

main.CRITICAL: Broken reference: No element found with ID ‘before.body.end’.

After checking few topics about issue and suggested solutions I decided to try simplest one, to update XML file and add missing layout parameter.

For the sake of test I deiced to edit core file at line #8:

html/vendor/magento/module-sales/view/adminhtml/layout/sales_creditmemo_index.xml

and changed original code:

<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">

to:

<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" layout="1column" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
After that change I was able to open all test orders and perform Credit Memo without any issues, also there were no errors in log files.
To prevent change to be deleted on next Magento update I suggest that you overwrite core layout file with your own.
Magento 2 devdocs provide solid guide how to do that:

Read more