| Scan Time | 2025-10-16 20:46:35 |
|---|---|
| Path Audited | /home/son/sites/magento |
| Rules Checked | Total: 81 | Passed: 38 | Failed: 28 | Unknown: 15 |
| Findings Overview | Critical: 2 | High: 15 | Medium: 9 | Low: 2 | Total: 28 |
| Score (Rules Passed %) |
38 / 81 (46.9%)
|
| ID | Severity | Status | Title |
|---|---|---|---|
| MB-R001 | high | FAIL | No chmod 777 (no world-writable files/dirs) --- (World-writable files or directories detected. Remove 777 and tighten permissions.) |
| MB-R002 | high | FAIL | env.php permissions <= 0640 --- (app/etc/env.php permissions are too permissive. Set to 0640 (owner read/write, group read).) |
| MB-R003 | high | PASS | Webroot hygiene (no .git/.env/backups in pub/) --- (Webroot is clean: no sensitive or backup artifacts exposed under pub/.) |
| MB-R004 | high | PASS | Code directories not group/other-writable --- (Code directories (app, vendor, lib) are not group/other-writable.) |
| MB-R005 | medium | PASS | Directory listing disabled --- (Directory listing is disabled for public paths.) |
| MB-R006 | high | FAIL | Non-default admin path (not /admin) --- (Admin path is still '/admin'. Change env.php backend.frontName to a non-guessable value and update web server rules.) |
| MB-R007 | critical | FAIL | Admin 2FA module enabled --- (Two-Factor Authentication is disabled or missing. Enable Magento_TwoFactorAuth and enforce 2FA for all admin users.) |
| MB-R008 | high | FAIL | Strong password policy enforced --- (Admin password/security policy is not configured. Define complexity, history, lockout, and rotation settings under admin/security.) |
| MB-R009 | medium | FAIL | Admin session timeout <= 900s --- (Admin session lifetime exceeds 900 seconds. Reduce session.lifetime to ≤ 900 for better security.) |
| MB-R010 | medium | FAIL | Admin URL exposure restricted --- (Admin URL is exposed (default path and no network ACLs). Change backend.frontName and/or restrict access via web server allow/deny.) |
| MB-R011 | medium | FAIL | Login rate-limiting / CAPTCHA enabled --- (CAPTCHA / rate-limiting is not configured. Enable admin CAPTCHA (or reCAPTCHA) to slow brute-force attempts.) |
| MB-R012 | high | PASS | No raw SQL without abstraction --- (No unsafe raw SQL statements detected; database queries use abstraction layers.) |
| MB-R013 | medium | PASS | Template output is escaped --- (Template output uses proper escaping functions.) |
| MB-R014 | medium | PASS | Avoid PHP superglobals directly --- (No direct access to PHP superglobals detected.) |
| MB-R015 | high | PASS | Forms include CSRF tokens (form_key) --- (Forms include CSRF protection via form_key.) |
| MB-R016 | medium | PASS | SSRF protections present --- (Outbound HTTP requests include SSRF protections (allowlists and timeouts).) |
| MB-R017 | high | FAIL | No unsafe deserialization --- (Unsafe unserialize() calls detected. Replace with JSON or Magento Serializer classes.) |
| MB-R018 | high | FAIL | Command execution functions are not used --- (exec(), shell_exec(), or system() calls found. Avoid OS command execution.) |
| MB-R019 | high | FAIL | No eval/assert/dynamic execution --- (Use of eval/assert/create_function detected. Remove or refactor these functions.) |
| MB-R020 | medium | PASS | Path traversal protections (sanitization present) --- (Path sanitization functions (realpath/basename) are present.) |
| MB-R021 | medium | PASS | Secure file upload handling --- (No unsafe file upload flows detected (user file is validated or uploads not used).) |
| MB-R022 | low | PASS | Escaping for JS context --- (No unescaped dynamic PHP output detected in JavaScript context.) |
| MB-R023 | high | PASS | Use CSPRNG; avoid weak PRNG --- (No weak PRNG detected near security-sensitive code (or no such code present).) |
| MB-R024 | high | PASS | Sensitive data not logged --- (No sensitive data (passwords, tokens, card details) logged in code.) |
| MB-R025 | medium | PASS | Use Magento APIs for crypto & session --- (Magento's built-in APIs are used for encryption and session management.) |
| MB-R026 | high | FAIL | Force HTTPS in admin and storefront --- (HTTPS is not enforced in admin or storefront. Enable secure URLs in env.php.) |
| MB-R027 | medium | FAIL | HSTS header is set --- (HSTS header is missing. Add Strict-Transport-Security to enforce HTTPS on clients.) |
| MB-R028 | high | PASS | TLS protocols >= 1.2 --- (TLS is configured to use version 1.2 or higher.) |
| MB-R029 | medium | PASS | No mixed content (http://) in templates/assets --- (No insecure http:// references detected in templates or assets.) |
| MB-R030 | high | FAIL | Secure cookies: Secure + HttpOnly enabled --- (Cookies lack Secure or HttpOnly flags. Enable them to protect against theft and XSS.) |
| MB-R031 | high | FAIL | Magento runs in PRODUCTION mode --- (Magento is not in PRODUCTION mode. Set MAGE_MODE to 'production' in env.php and redeploy.) |
| MB-R032 | medium | PASS | Xdebug disabled in production --- (Xdebug is not enabled in the production PHP configuration.) |
| MB-R033 | medium | PASS | display_errors is Off --- (PHP display_errors is Off. No error traces visible.) |
| MB-R034 | low | PASS | Compiled DI generated (metadata & code) --- (Generated DI metadata and code are present.) |
| MB-R035 | low | PASS | Static content deployed --- (Static view files are deployed (pub/static and var/view_preprocessed exist).) |
| MB-R036 | medium | PASS | No dev debug configs on production (template hints off) --- (Developer template hints are disabled in production.) |
| MB-R037 | high | FAIL | Full Page Cache (FPC) enabled --- (Full Page Cache is disabled or not using Varnish. Enable FPC for performance.) |
| MB-R038 | medium | FAIL | Cache backend is Redis/Varnish (not file) --- (Cache backend is still using file-based storage. Switch to Redis or Varnish.) |
| MB-R039 | medium | PASS | Indexers are READY (no backlog) --- (All indexers are in READY state with no backlog.) |
| MB-R040 | high | FAIL | Session storage hardened (Redis with auth) --- (Session storage is not hardened. Use Redis with a password for secure sessions.) |
| MB-R041 | low | FAIL | No dev cache backends (avoid file backend) --- (File cache backend detected. Replace with Redis or Varnish for production.) |
| MB-R042 | high | PASS | Logs and reports not exposed under pub/ --- (Log and report directories are not exposed under pub/.) |
| MB-R043 | medium | PASS | Log rotation configured --- (Log rotation is configured (rotate and compress directives present).) |
| MB-R044 | medium | PASS | Debug template hints disabled in production --- (Debug template hints are disabled in production.) |
| MB-R045 | high | PASS | PII not logged in application logs --- (No PII such as passwords, tokens, or card data is logged.) |
| MB-R046 | medium | FAIL | Crontab entries present (Magento cron) --- (No Magento cron entry found in repo or docs. Ensure 'bin/magento cron:run' runs every minute via crontab or scheduler.) |
| MB-R047 | high | FAIL | Cron heartbeat is recent (<= 900s) --- (Cron has not run in the last 15 minutes. Investigate cron service and schedule.) |
| MB-R048 | medium | PASS | Cron backlog below threshold --- (Cron queue size is within acceptable limits.) |
| MB-R049 | critical | UNKNOWN | No vulnerable packages (CVE via OSV) --- ([UNKNOWN] CVE file not found (requires --cve-data package)) |
| MB-R050 | critical | PASS | Adobe core module advisories resolved --- (No unresolved Adobe core advisories detected.) |
| MB-R051 | medium | UNKNOWN | Suggest fixed versions for vulnerable packages --- ([UNKNOWN] CVE bundle not found/openable; tried: (no candidates)) |
| MB-R052 | medium | PASS | High-risk modules flagged --- (No high-risk modules from the list are installed, or they are acknowledged and controlled.) |
| MB-R053 | low | PASS | Temporary mitigations documented --- (Mitigations/workarounds are documented in SECURITY.md.) |
| MB-R054 | critical | PASS | Known-exploited packages prioritized (CISA KEV) --- (No packages match the CISA Known Exploited Vulnerabilities list.) |
| MB-R055 | high | UNKNOWN | Transitive dependencies checked for CVEs --- ([UNKNOWN] CVE file not found (requires --cve-data package)) |
| MB-R056 | medium | UNKNOWN | No constraints blocking security updates --- ([UNKNOWN] CVE bundle not found/openable; tried: (no candidates)) |
| MB-R057 | high | UNKNOWN | No yanked/withdrawn packages --- ([UNKNOWN] Yanked metadata not found; tried: DATA/packagist-yanked.json | rules/packagist-yanked.json) |
| MB-R058 | medium | UNKNOWN | No outdated Marketplace extensions --- ([UNKNOWN] Release metadata not found; bundle root unresolved; tried: (no candidates)) |
| MB-R059 | low | UNKNOWN | Advisories handled in timely manner --- ([UNKNOWN] Bundle not found/openable; tried: (no candidates)) |
| MB-R060 | medium | UNKNOWN | No extensions without vendor support --- ([UNKNOWN] Vendor-support metadata not found; bundle root unresolved; tried: (no candidates)) |
| MB-R061 | high | UNKNOWN | No packages marked 'abandoned' on Packagist --- ([UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates)) |
| MB-R062 | medium | UNKNOWN | No packages without release in > 24 months --- ([UNKNOWN] Release-history metadata not found) |
| MB-R063 | medium | UNKNOWN | No packages from archived repositories --- ([UNKNOWN] Repo-status metadata not found) |
| MB-R064 | medium | UNKNOWN | No risky forks replacing upstream libs --- ([UNKNOWN] Repo-status metadata not found) |
| MB-R065 | medium | PASS | No wildcard constraints in composer.json --- (No wildcard or 'dev-master' constraints found in composer.json.) |
| MB-R066 | medium | PASS | No dev branches in composer.json --- (No dev branch constraints (dev-*) are used.) |
| MB-R067 | low | FAIL | prefer-stable=true in composer.json --- (prefer-stable is not enabled. Set config.prefer-stable=true to favor stable releases.) |
| MB-R068 | critical | UNKNOWN | Composer audit clean (no known vulns) --- ([UNKNOWN] CVE file not found (requires --cve-data package)) |
| MB-R069 | medium | UNKNOWN | Direct dependencies up-to-date --- ([UNKNOWN] Release metadata not found; bundle root unresolved; tried: /home/son/sites/magento/rules/release-history.json) |
| MB-R070 | high | PASS | composer.lock integrity with composer.json --- (composer.lock is in sync with composer.json.) |
| MB-R071 | medium | UNKNOWN | No abandoned libraries allowed --- ([UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates)) |
| MB-R072 | critical | FAIL | No secrets in VCS (working tree or git history) --- (Secrets detected in files or Git history. Remove, rotate keys, and purge history with a secure rewrite.) |
| MB-R073 | high | FAIL | HTTPS-only endpoints configured --- (Insecure http:// endpoint references found. Switch to HTTPS.) |
| MB-R074 | medium | FAIL | Debug/verbose off for third-party integrations --- (Third-party debug/verbose logging is enabled. Disable debug_logging in env.php.) |
| MB-R075 | high | FAIL | Webhook signature validation present --- (Webhook signature validation not detected. Verify MAC using shared secret headers.) |
| MB-R076 | medium | FAIL | Outbound connections restricted by allow-list --- (No allowlist or timeouts for outbound requests. Add domain allowlists and cURL timeouts.) |
| MB-R077 | high | PASS | PII minimization for third-party flows --- (No direct handling of sensitive PII (e.g., full card, CVV, SSN, passport).) |
| MB-R078 | medium | FAIL | Strong TLS ciphers on upstream gateways --- (Weak or unspecified TLS ciphers. Configure strong cipher suites on the web server.) |
| MB-R079 | high | PASS | API keys stored in env.php (not in DB/plain code) --- (API credentials are stored in env.php, not embedded in code or the DB.) |
| MB-R080 | medium | PASS | Third-party logging sanitized (mask/redact) --- (Third-party logs apply masking/redaction for sensitive fields.) |
| MB-R081 | low | PASS | SaaS integrations scoped by ACL (least privilege/IP allowlist) --- (Integration docs mention least-privilege scopes and optional IP allowlisting.) |
--cve-data=<bundle.zip> to enable this section.This report was generated using Magebean CLI, based on the Magebean Security Baseline v1. Findings are provided for informational and audit purposes only.