Magento Security Issues
Magento has announced two security issues:
1. Misconfigured Magento Sites Using Nginx
Byte.nl recently reported that some misconfigured Magento sites using Nginx web server software are vulnerable to attacks. The misconfiguration allows outside access to Magento cache files. The cache files have predictable names and can contain sensitive information, including Magento database passwords. This information can be used to obtain access to an installation and customer information.
To address this issue when using Nginx or any other web server software other than Apache, you should make sure your configuration file protects directories and files properly. Magento Security Best Practices includes information on configuring your server environment. You can also find an example of a configuration file for Nginx at https://gist.github.com/gwillem/cd5ae6845fa33aa0d481.
2. Unsecured Magmi Data Import Tool
Some Magento sites are using the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your production website or limit access to it based on IP address or password.