Today i’ve recieved a message from the french Magento community : Fragento. A bug has been finded this morning.
There’s a security fails in the Magento community edition less than 1.3.3.0 and the enterprise verion less than 1.6
With this, your client expose his firstname, lastname, civility, enteprise, phone number, fax, adress (street,postalcode, city, region, country), the date of creation and of update of your clients.
It works really (i have tested too). Don’t forget to apply the patch if you are concerned.
How to reproduce it ? it’s realy simple. Add a product to your cart and go on the first step of the checkout (where you can loggin) and try to go here :
http://www.yourwebsite.com/checkout/onepage/getAddress/address/55 (remplace 55 by the id of your the customer you want)
How to solve this ?
remplace the function in app/code/core/Mage/Checkout/controllers/OnepageController.php
/**
* Address JSON
*/
public function getAddressAction()
{
if ($this->_expireAjax()) {
return;
}
$addressId = $this->getRequest()->getParam('address', false);
if ($addressId) {
$address = $this->getOnepage()->getAddress($addressId);
if(Mage::getSingleton('customer/session')->getCustomer()-
>getId() == $address->getCustomerId()) {
$this->getResponse()->setHeader('Content-type',
'application/x-json');
$this->getResponse()->setBody($address->toJson());
} else {
$this->getResponse()->setHeader('HTTP/1.1','403
Forbidden');
}
}
}
More documentation, no computer things to manage, but Magento as well !
How many clients come to me with an ecommerce project and a « small budget » wich not permit us to have an ecommerce website on magento. They then usually fall back on a freelance wich will do the minimum for cheap… ie install a magento template and take 2000€ with a poor return on investment.
If you understand English, watch this little video:
it’s all over!
Now with a budget of 600$ you can have an ecommerce site in Magento configured with full payment methods and delivery methods that go well for you and your clients … and you can still stay 300$ for your marketing campaign budget (not to be overlooked). In addition to this, you will not have to worry about security, and no worries of slow on your site … basically it’s the perfect solution for budget of less than 15 000$ (which will give you a store that is much more … for 15$ /month) to this price the freelance magento and small agencies that just do the minimum for their client (installation and configuration of Magento) have to worry about their business!
So we here are my friends, I present to you Magento Go! The SaaS Magento solution. Basically it’s a shop that you rent and it is hosted directly by magento.
Which benefits
Price The price is a strong argument for many customers, 15$ (11€) per month for the first offer…even if I could make my own ecommerce store, I think if I run a business (and i will) I will use this platform first (and by first I mean … the first years until I have an interest in spending a lot of time and money to make my own magento website).
Security Your store is hosted by Magento directly, there are many people who ensure the security of your shop and you will not be hacked because everything has been studied by magento experts (from magento enterprise themselves) and leading experts of ecommerce.
The possibility for your customers to have more methods of payment? MagentoGo already includes a number of payment methods that you might not have with a so little budget. It’s really a plus for your customers to use the payment method he prefer to be comfortable during the purchase process.
modes of delivery As payment methods, Magento ecommerce specialists have integrated many payment methods that allow the customer to feel secure when paying and being comfortable in your store.
The availability of your site, speed Sincerely … a shop made by Magento, and hosted by themselves … you can imagine, it will turn « the fire of God » as they say and it will be optimized for the highest performance possible.
Ease of use With MagentoGo you are guided not only by a help menu at the top of your interface, the menu is very well done and very convenient to use but you also have access to a book in pdf and a knowledge base with Hundreds of tutorials to explain step by step each operation you can do in your shop.
The number of features? The amount of functionality is the same as in magento … it’s huge. You have all the main features of a professional ecommerce store (crosselling, upselling, inventory, shipments, invoices, orders, customers, products simple, configurable products, downloadable products).
Customizing your store? 6 graphical themes are proposed by default, they are more than adequate to start a business on the net and allow you to offer your customers a pleasant interface and a customer account that will allow them to see their orders, to subscribe to your newsletter etc. … If you really want to customize your shop more, you can edit the CSS thanks to the extensive editor is proposed …. but you will use this only if you are a minimum geek xD
What inconvégnients
Uh … by a few sentences sometimes poorly translated and that you must pay what is still normal because you are opening a store online … (online store, but still a store … View Article Previous (in french): why a site is expensive ecommerce )
one month free trial ?….sincerely ?
On top of that for you to try the solution, Magento offers 30 days free trial and no strings attached (yeah yeah no jokes !! here … we are not at SFR ^ ^ ) . If later you want to continue using your magento shop online, you just have to register and pay a registration … which will cost the equivalent of two sandwish by month.
I think for ROI (Return on Investment) rapidly to 17-30 $ / month in the first months of his ecommerce store … it’s not a bad strategy. Basically you do a sale and you pay your online store for the entire month (or you don’t eat two sandwish and it’s ok!).
I can already hear « Where can i apply ? « » Me too? « » yeahhhhh me too! « » I want to try it but where must i go ?
First start by watching this video introduction, she is pretty and it’s relaxing:
In this moment it’s « LEWEB » « le web« , certainly one of the biggest event web of the year. you’ll find somes « little famous » speakers like : Karl Lagerfeld, Sean Parker, Eric Schmidt (Google), Axel Dauchez (Deezer)…
This tutorial is the 15th of many tutorials . If you have not read the first articles yet, I strongly advise you to do so.
As you know the websites are often translated into several languages, this plugin was not translated from one language to another, it is now time to get started. y On Magento, you will find translations in folder/app/locale/, is in fact the code for the language. For example the French translations will be found in /app/locale/fr_FR and the German’s will be in de_DE.
The files format is CSV and structure is as follows:
[txt] « String to translate », « la chaine traduite » [txt]
<?php echo $this->__('String to translate'); ?>
//result: la chaine traduite
Magento will search for the corresponding translation to your chain in your csv file. if you are in French, it will search the correspondence in the file/app/locale/fr_FR/Pfay_Test.csv, then he will find the string « String to translate » and return « la chaine traduite. »
This tutorial is the 13th of many tutorials . If you have not read the first articles yet, I strongly advise you to do so.
Today I will teach you how to use the automatic update of your plugin via the installer. As you know now, in the etc/config.xml of your plugin you have a version number. Magento when it is called, check the version number and detects if your plugin is up to date. It checks in the table core_resource the version number of your plugin installed on your site and if it does not match your current plugin, it launches the installer.
The installers of your plugin will be in the /sql/test_setup/, the first is an « install » it will be called mysql4-install-0.1.0.php
Then the others will be « upgrade » ones and they will call mysql4-upgrade--.php example:
The first update to version 0.1.0 to version 0.1.1 is called:
mysql4-upgrade-0.1.0-0.1.1.php
The following will be:
mysql4-upgrade-0.1.1-0.1.2.php
Etc. ..
Declare our setup folder
First start by creating a folder /sql/test_setup at the root of your plugin folder. Then go to your /etc/config.xml <global> <ressources> then add:
As you can see, you do what you want in your install as long as it starts with $this->startSetup(); and it ends up with $this->endSetup();
for the function addAttribute, we will not explain it in this tutorial;)
The upgrade file is the same:
<?php
$this->startSetup();
//here you can put whatever you want
$this->endSetup();
Here we are! It’s the end of this tutorial. I hope it will be able to help some of you and I invite you to ask questions, put a « +1″, love it on facebook, or leave messages in the comment. You save time with this tutorial? Take 2min to help me and to link to this article on your blog, facebook, twitter or google+ … this is not much for you but for me it’s huge! Thank you very much to follow me and help me, i love it
