Envision Ecommerce, Top B2B Companies on Clutch

In a time where ecommerce has seen only increasingly rapid acceleration, Envision Ecommerce knows exactly what clients and their companies need to succeed in the online landscape. Through our honed Magento e-commerce development skills and marketing experience, the team at Envision is an ideal partner for clients looking to ramp up their digital presence.

The company Envision Ecommerce, founded by Vikrant Shukla in 2015, has been serving clients from all across the globe with Magento-based products and services. Earlier this year, the company merged its operations under Netsmartz, one of India’s leading IT solutions provider.

Congratulating on this remarkable feat, Manipal Dhariwal, Chairman and CEO of Netsmartz, said, – “We stand at the forefront of a tremendous market opportunity. As we are at the dawn of the next Magento Revolution. Combining the full range of Netsmartz services, we are now expanding ecommerce solutions and its capabilities, offering an ever-broadening comprehensive portfolio to our customers.”

We are excited to announce that others are taking notice of our work, and B2B research firm Clutch has named us as one of the top e-commerce developers in India. Clutch’s sister website, the Manifest, has also published their new research highlighting Envision Ecommerce as one of the Top 25 Magento Development Companies in 2018.

The Manifest and Clutch, both business insight firms from Washington, D.C., evaluate thousands of companies based on their market presence, previous experience, and client feedback. Getting nominated as a leading company among their research strengthens our general reputability as a technology partner.

We’d like to acknowledge our clients for their reviews of us on our Clutch profile. Our team thrives on helping our clients and their businesses further build and maintain their e-commerce capabilities, so hearing directly from some of our previous customers about the impact that our products and team members have had definitely serves as a great source of pride for us.

“After several rounds of intense scrutiny and questioning to ensure their suitability, Envision Ecommerce managed to consistently exceed our expectations and fit our needs perfectly.”

 “Envision came and saved me,” summarized a second client. “I’d been reluctant to work with an Indian company because the output quality is usually not very good, but with Envision, it was different: they have a Westernized approach, Magento professionals, and a good communication system in place..”

Thank you to The Manifest, Clutch, and our clients for their support and recognition of Envision Ecommerce as a premier presence within the e-commerce development industry. We take great pride and satisfaction in knowing that we have served our clients, their businesses, and the greater community as well. Apart from this, Envision Ecommerce achieved another feat of being a top Magento Company on DesignRush. We welcome you to reach out to us if you are interested in hearing more about our projects or experience, and we look forward to new collaborations soon!

Magento USPS First Class Mail Parcel Service Name Change

USPS’ First Class shipping service is commonly used by Magento merchants throughout the globe for shipping lightweight packages. This service was named as “First-Class Mail Parcel” by USPS. But recently they modified this naming convention from “First-Class Mail Parcel” to “First-Class Package Service – Retail.”

After this change in USPS service name, Magento 1.x and 2.x merchants are no longer able to see the first class shipping options on their checkout shipping methods’ area. Here Magento 1.x merchants include the users who are using any version of Magento Commerce 1.x and Magento Open source 1.x and Magento 2.x eCommerce merchants cover the users using Magento Open Source and Magento Commerce prior to Magento 2.1.9 or 2.0.16.

To avert these issues, Magento is offering different solutions for both Magento 1.x and 2.x eCommerce merchants:

Solutions for Magento 1.x eCommerce Merchants:

1.Temporary Workaround:

Magento 1.x users need to edit the Usps.php file to change this service name. This editing can be done by following this workaround:

a. Follow this path and navigate to Usps.php file:

app/code/core/Mage/Usa/Model/Shipping/Carrier/Usps.php

b. Find out the string “First-Class Mail Parcel” and its all occurrences throughout the file.

c. Modify all the occurrences of this string with “First-Class Package Service – Retail.”

d. Make sure to save these changes to Usps.php.

e. Now clear the Magento Cache.

2. SUPEE-10336 Patch

If you don’t want to implement this temporary workout, you can install a SUPEE-10336 patch for this issue. This patch is recently released by Magento in account for the same fix. To download this patch, navigate to MyAccount area and you can access this patch on the Magento Open Source Download Page. In a case, if you have already implemented above workaround, but want to install this SUPEE-10336 patch, please delete this workaround first before installing this patch.

Solutions for Magento 2.x eCommerce Merchants:

1. Temporary Workaround:

Magento 2.x users must edit the Carrier.php file to change this service name. This editing can be done by following this workaround:

a. Follow this path and navigate to Carrier.php file:

vendor/magento/module-usps/Model/Carrier.php

b. Find out the string “First-Class Mail Parcel” and its all occurrences throughout the file.

c. Modify all the occurrences of this string with “First-Class Package Service – Retail.”

d. Make sure to save these changes to Carrier.php.

e. Now clear the Magento Cache.

2. Magento 2.1.9 and 2.0.16 Releases

In addition to this temporary workaround, Magento 2.x merchants can upgrade to or install Magento 2.1.9 and 2.0.16 releases (just released yesterday by Magento – https://magento.com/security/patches/magento-2016-and-219-security-update). However, if you have already implemented this workaround, you should delete it first before applying these releases.

Our Verdict

These solutions will help Magento eCommerce merchants to bring back their USPS First Class options during the checkout process. If you also belong to such merchants and facing difficulty in implementing these solutions (workarounds, SUPEE-10266 patch or Magento 2.1.9 & 2.0.16) on your Magento store, contact us today. Our Certified Magento developers will implement these solutions in no time!

SUPEE-9767 V2 – A New Version of SUPEE-9767 is Out for Magento 1!

Yesterday, Magento released SUPEE-9767 V2, which fixes several security and functional issues reported in its initial patch i.e. SUPEE-9767. SUPEE-9767 V2 is an updated version of original SUPEE-9767 (explained in our previous blog on SUPEE-9767 on June 1st).

So if you have already applied first version of this patch, you are suggested to revert and then apply its second version. However, if you’re still planning to install SUPEE-9767, please stop as it has certain issues and just apply its recent second version.

General Issues with SUPEE-9767 V1 – That are Now Fixed…!

• strip_tags functionality in the checkout JavaScript was missing in initial patch – Fixed Now in SUPEE-9767 V2.

• Failure of customer registration during a standard checkout and when the form key authentication was enabled – Fixed Now.

• Issue with Allow-symlinks disabling option – Fixed Now (Allow symlinks option is now disabled at the time of installation or upgrade and Magento now shows Allow-symlinks message in the Admin message section as needed.)

• Background transparency of uploaded images was missing – Fixed Now.

• Issue with Multiple addresses checkout when checkout form validation was enabled – Fixed Now.

SUPEE-9767 V2 Secures Your Magento 1 Store Against:

• Remote Code Execution

• Information Leaks

• Cross-site Scripting

Installation Process:

• Revert SUPEE-9767 V1 if you have already applied it.

• Just Deploy SUPEE-9767 V2 if V1 hasn’t already been applied.

Where to Download:

It is best to download SUPEE-9767 V2 from Magento Tech Resources Download Section (https://magento.com/tech-resources/download#download2034) – however, you can also take help from our Magento Certified Developers.

If you need a helping hand to assist you with this security patch update or having any queries, our Magento Certified Solution Specialist & Certified Developers are here for you! They have successfully installed, such Magento security patches for over 80+ stores earlier and are experienced to ensure your store security. Feel free to contact us at [email protected] or connect with our Magento services to do it fast & safe for you.

Upgrade to 1.9.3.3 or Apply SUPEE-8167 – Latest PayPal IPN Upgrade Notification for Magento Merchants

If you’re a Magento merchant who has been using PayPal IPN (Instant Payment Notification) service, you have possibly received an email alerting you to upgrade to 1.9.3.3 or Apply SUPEE-8167….

If you’re a Magento merchant who has been using PayPal IPN (Instant Payment Notification) service, you have possibly received an email alerting you to upgrade to 1.9.3.3 or Apply SUPEE-8167 in order to avoid this service disruption.

This upgrade will last till the end of June, i.e. June 30, 2017. And, from June 30, 2017, PayPal IPN service will no longer permit merchants to utilize HTTP while posting messages back to PayPal for verification. As a merchant, you will only be allowed to use HTTPS for such postbacks.

If you’ve not made the essential changes, we urge you to do the followings before this service disruption starts affecting your Magento store:

• Enterprise Edition 1.14.3.3 or apply the SUPEE-8167 patch     
• Community Edition 1.9.3.3 or apply the SUPEE-8187 patch     
• Magento 2.0.15 when it becomes accessible (probably the next week of June)

Note: If you’re running Magento 2.1.x, there is no need of any update as all Magento 2.1.x versions already comply with this change.

Full technical details can be found at https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1916&viewlocale=en_US. Besides, Community Edition Download Page (https://magento.com/tech-resources/download) includes the patch to download it.

Because this security upgrade is too technical in nature, we suggest you consult with professional developers to apply such changes to your online store. Moreover, our certified Magento developers are ready to help you as they have successfully upgraded or applied such security patches for over 80+ stores earlier. Connect today with our Magento services to apply this upgrade or patch fast & safe for you.

SUPEE-8967 – A New Magento Security Patch Will be Released Soon!

Magento has officially launched the upcoming release of “SUPEE-8967” on its website. This newest security patch will be released soon for Magento to help Magento stores/storeowners to appropriately recognize the updated Bin range of Card numbers from Mastercard. However, this useful patch is only applicable to the prior versions of Magento to CE 1.9.3.0, and is already contained in CE 1.9.3.0 and newer versions.

For versions older than Magento CE 1.9.0.0, SUPEE-2725 patch need to be applied first to discover the changes.

For more information or need help regarding installation, you can contact us at at [email protected]. We at Envision Ecommerce have successfully installed the security patches for over 80+ stores earlier. So, we are well aware to ensure your store security, and you can connect with our Magento services to do it fast & safe for you.

Disastrous WordPress Rest API Bug – Inhibit Your WP Site from Being Hacked

Last month, WordPress patched three security issues out of four, covering a SQL injection vulnerability in WP-Query, the Press (for assigning taxonomy terms) and a cross-site scripting (XSS). The fourth and most disastrous security flaw that resided in WordPress REST API was disclosed with a delay of one week after its release. This delayed disclosure of vulnerability allowed several remote unauthorized hackers to modify the content of any page or post inside an unpatched WordPress site with the versions 4.7 and 4.7.1.

Reason for Delay:

Sucuri was working with the WordPress security team under that week to install the patch so that the security flaw was dealt with in short order before getting publicly disclosed.

As per the WordPress core contributor “Aaron Campbell” – “We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”

“Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.”

Disastrous WordPress Rest API Bug, Its Impacts and Results:

This security flaw has been rated as the most disastrous flaw and is now being actively exploited, even though the fix has automatically been deployed on millions of WP installations in the few hours once after the security patch was released. Hundreds of thousands of WordPress websites are seeing defacement with messages such as “Hacked by NG689Skw” or “Hacked by w4l3XzY3” or similar to these. You can also Google to know more about these specific hacks results that display thousands of other hacked sites.

Solution to Inhibit Your WP Site from Being Hacked:

Therefore, all the WordPress admins who have their websites running 4.7.0 or 4.7.1 or not yet updated to 4.7.2, you are strongly recommended to update your CMS to 4.7.2 to avoid the risk of any content injection. If your site has already been defaced, simply update to the up-to-date version of WordPress and rollback your defaced posts to a review.

To know more about this vulnerability, you can head on the wptavern.com (https://wptavern.com/wordpress-rest-api-vulnerability-is-being-actively-exploited-hundreds-of-thousands-of-sites-defaced) or the official blog post of Sucuri (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).

Magento New Zend Framework 1 Security Vulnerability Update

Recently, a serious vulnerability has become apparent in Magento’s new Zend framework 1 and email component. Each Magento 1 and Magento 2 based software and other PHP solutions make use of this component. This serious vulnerability can grant attackers the opportunity to attack remote code execution if your server is using Sendmail as your mail transport agent.

So don’t be a victim! To counteract your Magento store against this security breach, we strongly recommend you to immediately examine your mail sending settings. Be there with your system settings which are used to empower the “Reply to” address for emails directed from your Magento store:

Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

First off, you need to examine the value set for “Set Return-Path”. If this value is set to “Yes”, and your server makes use of Sendmail, your Magento store is vulnerable to this security breach. There is no need for any worry for Enterprise Cloud Edition customers as they’re not at any major risk for their existing configurations.

We at Envision Ecommerce recommend you to switch the value of your “Set Return-Path” to “No” until any security patch comes into existence against this vulnerability from Magento’s side, irrespective of whatever transport agent used. We hope that Magento will provide security patches against this vulnerability over the subsequent several weeks.

In case if you need help, you can contact us for a security analysis. We’d be glad to help you through the analysis process to let you know about your Magento store’s vulnerability against this security breach.

Migrate your HTTP Sites to HTTPs as Google is Going to Mark It Unsecured!

The security team of Google Chrome has recently announced that the browser will start labeling Http connections as non-secure by the beginning of the January 2017.

So, it has been recommended that site owners should migrate their website to HTTPs to increase the level of security towards the personal and other sensitive data like login credentials. HTTPs is mainly created to help protect the integrity and the confidentiality of sensitive data which moves between the websites and end-users. Without HTTPs, the site’s important or personal information can be stolen.

Emily Schechter, Team Member of Chrome Security, said that “Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”

Fact and figure shows that Google Chrome presently holds 55 percent of the mobile and desktop browser market share, in which half of the web browsing individuals will not be able to access your site, without HTTPs. So it is necessary to use HTTPs, especially if you are collecting payment info, passwords or any other personal information on any of your web pages. With HTTPs, Google will also give a slight boost to your website’s ranking.

Now make your New Year even more secure with a secure web. See this thread to know how to do it. See this thread to know how to do it https://www.searchenginejournal.com/step-step-guide-migrate-site-https/177790/

Safeguard Your Magento Installation against Brute Force Password Guessing – NEW UPDATE

Over the past couple of weeks, there has been a significant increase in the brute force attacks against Magento installation. Most of these attacks have further led to unauthorized access to Magento store admin panel. To safeguard your Magento installation against such brute force attacks, here are some recommended steps for you:

1. Identify All Possible Installation Access Points:

First, you need to identify all possible ways by which your installation can be easily accessed from the outside brute force attackers. Scan your e-store by using http://magereport.com and you can easily identify such possible access points.

Note: If it is a case of typical Magento 1 installation (For instance, Magento Enterprise Edition 1.14.2), your “3 locations, /admin (or a custom name you have selected for your admin)”, “/downloader”, and “/rss”, will require major protection. On the other hand, if it is a case of Magento 2, simply your admin panel location (the location is created spontaneously during installation) will need a safeguard.

2. IP Whitelisting

IP Whitelisting method works best in protecting your admin and downloader locations by restricting access to some specified users with IP address or network. Also, this is the best solution if you always access your Magento store backend from a similar location or computer. You can easily find your IP address via Google: HTTPS://WWW.GOOGLE.COM/SEARCH?Q=WHAT+IS+MY+IP. For example, 111.222.333.444.

However, if you are accessing your store backend via mobile device or applying a dynamic IP address, then this IP Whitelisting solution might not properly work for you. If your enterprise belongs to a remote workforce, it is essential to add their IPs, too, to have network access.

3. IP Whitelisting Protection for Downloader, Admin Panel, and RSS Feeds:

The IP whitelisting method for admin panel and RSS feeds differs in protection compared to the downloader. Why? Because the downloader comes with a physical directory and admin is accessible via /admin and /index.php/admin URLs (or the custom tracks that you can select), and RSS feeds, like low stock warnings or order status updates, are not physical directories available on the server.

4. For Apache Web Server Users:

If you are using Apache web server, you can protect your admin panel and RSS feeds by redirecting the appeals from anonymous IP addresses to the main page. You can do it by editing your .htaccess file, which is present in your root Magento folder. This file comes right after the rewrite rules and just before a unit referred as “always send 404 on missing files in these folders.”

  • Whitelisting an admin panel IP Address:

You need to insert the following rule in your root .htaccess file for whitelisting an admin panel IP address (inside <IfModule mod_rewrite.c> ):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/)?admin/ - [L,R=403]
  • Whitelisting RSS feed IP Address:

You need to insert the following rule in your root .htaccess file (inside <IfModule mod_rewrite.c>) for whitelisting RSS feed IP address:

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/?)?rss/ - [L,R=403]
  • Whitelisting Downloader Application IP Address:

Insert the following rule in your ./downloader/.htaccess file for whitelisting downloader application IP address.

order deny,allow
deny from all
allow from xx.xx.xx.xx

5. For Nginx Web Server Users:

In most situations, you must work together with your hosting supplier to put a constraint on the access to admin, downloader, and RSS locations.

But, if there is a full server access permission, you can easily revise your Nginx configuration by your own, by following steps recommended at https://www.nginx.com/resources/admin-guide/restricting-access/ or mentioned below:

  • Whitelisting an admin panel IP Address:

You need to insert the following rule to your Nginx configuration file for whitelisting an admin panel IP address:

    location ~ ^/admin/ { allow xx.xx.xx.xx; deny all; try_files $uri $uri/ /index.php; } location ~ ^/index.php/?admin/ { allow xx.xx.xx.xx; deny all; try_files $uri $uri/ /index.php; }

 

  • Whitelisting RSS feed IP Address:
location ~ ^/index.php/?rss/ {
allow xx.xx.xx.xx;
deny all;
try_files $uri $uri/ /index.php;
}
location ~ ^/rss/ {
allow xx.xx.xx.xx;
deny all;
try_files $uri $uri/ /index.php;
}
  • Whitelisting Downloader Application IP Address:
location ~ ^/downloader/ {
allow xx.xx.xx.xx;
deny all;
}
  • Completely Block or Remove the RSS and Downloader:

If there is no usage of RSS feed or downloader, it would be best to totally block or remove them.

If you don’t perform installation or update your extensions on your production server or may be utilizing a version control system to handle files, you can go with entire download folder deletion or opt for access blockage. However, you need to follow proper commands to block RSS feed.

  • For Apache Server Users:

Insert the following rule into your downloader/.htaccess file to have a blocked access onto the downloader application.

deny from all

To block right to use to the RSS feed, insert the below mentioned rule in your root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteRule ^(index.php/?)?rss/ - [L,R=403]
  • For Nginx Web Server Users:

In most situations, you must work together with your hosting supplier to put a constraint on the access to the downloader, and RSS locations.

But, if there is a full server access permission, you can easily revise your Nginx configuration by your own, by following the commands below:

  • Insert the following rule to your nginx.conf file so as to have blocked downloader application access:

location ^/downloader/ {
deny all;
}
  • Insert the below-mentioned rule to your nginx.conf file to have a blocked RSS feed access:

location ~ ^/index.php/?rss/ {
deny all;
}
location ~ ^/rss/ {
deny all;
}
  • Admin Panel & Magento Connect Manager Location Alteration

Admin panel and Magento Connect Manager (downloader) are both possible access points for attackers to induce a brute force attack. However, if you alter the location of your admin panel and downloader, you can diminish the chances of being attacked by general attacks. But. It doesn’t safeguard in contrast to targeted attacks that attempt to predict the location with numerous requests.

Make sure to do the inspection in conjunction with your hosting provider before applying these alterations. Because some may be assigned with particular security rules which apply to default locations. On the other hand, if there is no possibility to install extensions from Magento Connect, you can go for deletion or totally blocked access to the downloader directory.

  • Change the Name of the Admin Panel (for Magento 1 Merely):

Here are steps to change the name of the admin panel:

1)    Login to the admin panel

2)    Navigate to System – Cache Management.

3)    Edit File app/etc/local.xml in your Magento installation

4)    Modify the name in section:

Admin> routers> adminhtml> args> frontName

5)    Clear cache and log out

6)    Login again via new URL

  • Change the Name of Magento Connect Manager (or Downloader) (For Magento 1 Merely)

This method is another efficient option, but once after changing the name of Magento Connect Manager, it will no longer be probable to gain access to Magento Connect Manager via Magento admin panel. It must be opened directly via new URL.

To alter the name of Magento Connect Manager, you only need to alter the folder name from existing “downloader” to something “distinctive”.

6. Advanced/Alternate Scenarios Use Cases:

There may be some scenarios where it would be unmanageable to restrict the access to a set of IP addresses, particularly when your store’s admin panel required to be addressed by numerous users from numerous locations. In such situations, you need to follow different approaches:

  • A VPN tunnel to block any additional access to the services (in conjunction with your hosting supplier)
  • Installation and enabling of 2-factor validation. For instance, you can use the extension mentioned here: https://www.nexcess.net/resources/plugins/sentry-two-factor-authentication-magento. (But, you still require to block or constrain /rss and /downloader access.
  • Utilize adaptive request filtering, or Intrusion Prevention System such as Fail2Ban.

We at Envision Ecommerce have been dealing with Magento security since our inception in the Magento industry. There are numerous methods to deal with your Magento store’s security against such brute force password guessing attacks. We recommend you to examine methods and pick up the one suits your Magento store’s existing situation. If you have any query or suggestion, we welcome you to write in the comments below.

Source: https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing-new-update

Dirty COW Linux OS Vulnerability : NEW Security Hole in Linux Kernel

Recently, a new major security hole in the Linux kernel has been found which is referred as CVE-2016-5195, also called – “Dirty Cow”. It is a serious vulnerability that could lead to increased privileges on most commercially backed Linux distributors covering Red Hat, Ubuntu, Debian, Suse and their different versions such as Red Hat Enterprise versions: 5.6.7, Debian versions: Wheezy, Jessie, Strech, Ubuntu versions: 16.04 LTS, 14.04 LTS, etc.

The issue is mainly originated from a race condition that exists in the Linux kernel’s memory. A local attacker could leverage this issue to gain administrative access to your server. If your existing Magento store is running on Linux operating system, you may be compromised as an attacker can easily upload files to your server or admin account. Here is:

How to Bulletproof Your Magento Store against this Dirty Cow Vulnerability? 

If you handle your own server, you must update kernel (and reboot your server) as soon as you get assigned with the security patch through your operating system supplier.

On the other hand, if don’t have your own server to manage or you are on a shared server, you need to make a contact with your server administrator or hosting supplier to ensure your Magento store’s safety against this serious vulnerability.

Knowing this serious issue may half the battle, and now you are aware of it. In the end, our general guidance is just to update your kernels and reboot your operating system as soon as possible.