Magento 1 java script malware injection via CMS block

Hello, as Magento 1.x closes to it’s end of life (at least officially) everyone should consider moving to Magento 2.x platform. With every new release Magento gets better and new features are available, also upgrade process is quite simplified and now works really great.

Anyway there are lot of stores that still use Magento 1.x and will not move to 2.x for few more months. Those stores also require maintenance and security check, otherwise they can easily be corrupted by various malware codes and expose important data (like customers addresses or even credit card numbers). Be sure that you update Magento on regular base and apply security patches as soon as they are published.

We noticed recently that malware code can be easily injected into CMS block content, that way it will be loaded on every page that has CMS block included in any part of page. In simple words if you have a CMS block in footer code will be loaded on every page on site, including cart, checkout and success pages.

Simple way to check your site would be to login into Magento back end and open one CMS block to edit, turn off wysiwyg editor to see code and check for any code that include java script.
Code might look like this:
< script src=’https://javascript.host/ >< / script >

In general if you see any code that include scripts that are hosted on domain that is not familiar to you there is reason to suspect that is some kind of malware.
If you have access to PhpMyAdmin you can do search through base and check is there similar code in CMS pages or any other table.
Also if you have MageFence module it will search for those strings when you start security check procedure.

We will name few most common strings that you should check:

  • kinfirighbetted.host
  • atob.host
  • bad.guy
  • siteverification.online
  • jquery-ajax.host

Fixing currency rates in Magento 1.x

While Magento 1.x is slowly fading into history, still there are lot of stores that still use it and therefore need to be maintained on regular bases.

If you have multi currency store, than you are familiar with built-in service Webservicex, which was responsible to update currency rates. Webservicex service stopped working a year ago and to make things even worst it will return 1 for all currency rates. That can cause lot of issues, for example it will allow customers to order items with price of base currency but without conversion.

As alternative many stores switched to ‘Payserv GoogleFinance’ module, which use Google Finance API to retrieve currency rates. Module was free to use and can be found on GitHub (thanks Magento for removing old marketplace – thumb down):

https://github.com/ausger/GoogleCurrency

Recently I noticed that a notice in Magento admin:

WARNING: Cannot retrieve rate from http://www.google.com/finance/converter?a=1&from={{CURRENCY_FROM}}&to={{CURRENCY_TO}}

Message came from ‘Payserv GoogleFinance’ module and was outputted when module tries to update currency rates. This happen because Google Finance changed URL for API service that should return rates. To make module functional small modification is needed and we will make it in Model file:

app/code/local/Payserv/GoogleFinance/Model/Google.php

at line #32 we will replace existing code with this one:

protected $_url = ‘https://finance.google.com/finance/converter?a=1&from={{CURRENCY_FROM}}&to={{CURRENCY_TO}}’;

As you may notice, comparing URL from notice and new URL that we set everything is same except domain name so now it is: https://finance.google.com/finance/

After you made change in file and upload it back, please try to import rates to be sure that module works now properly. As additional check you may open a Google Finance in browser and compare rates, for example USD to EUR: https://finance.google.com/finance/converter?a=1&from=USD&to=EUR

If you have issues to make this small change you can contact me and I can send you version of module with fix applied:
https://magehelperblog.com/contact-me/

 

Extending CreareSEO module

CreareSEO module is really great addition to any Magento 1 store and helps a lot with basic SEO related settings, latest version can be found on GitHub. Among bunch of useful features there is also a ‘Twitter Cards and Open Graph’ section that will automatically add Twitter card and OG meta tags to product details page.

In few simple steps we will extend that feature to category page as well.

First we will add one more filed in section ‘Twitter Cards and Open Graph’ that we will use for Facebook app ID. Open in editor file: app/code/community/Creare/CreareSeoCore/etc/system.xml
and add code from attached file ‘system-update’. Be sure to copy code within section, we want to keep module consistency and usability.

Save file and open Magento admin: System->CreareSEO->General Settings tab, you will see a new field that we named ‘Facebook app id‘. Enter your Facebook app id and hit save button.

On our luck CreareSEO use base package and default theme so it is easy to find and edit layout files.
So next would be XML layout file:
app/design/frontend/base/default/layout/creareseo.xml

We will add this line:

< block type="core/template" name="ccreareseo.category.social" ifconfig="creareseocore/social/enabled" template="creareseo/social/category-social.phtml" />

For sections (for both sections reference is ‘head’):
catalog_category_layered
and:
catalog_category_view

After that we will create a template file by name ‘category-social.phtml’ and copy it into folder:
app/design/frontend/base/default/template/creareseo/social/

To save you some time I will provide template with code. Since code in template is quite simple so there is no need to explain it line by line. Of course code can be changed as it suit you and additional marks can be added. If you find something interesting you are more than welcome to shear it in comments 🙂

 

Finally we will use Facebook app ID on product details template too (it is missing for some reason), open template:
app/design/frontend/base/default/template/creareseo/social/social.phtml

and add this line:
< meta property=”fb:app_id” content=”< ? php echo Mage::getStoreConfig(‘creareseocore/social/facebookappid’) ? >” />

Once you save everything, clear Magento cache and test your page using official FB tool:
https://developers.facebook.com/tools/debug/