Helpful Articles

• Security Advisory: Addressing the Magento "Polyshell" Vulnerability

  ---

  Important: While the JetRails "Secure by Default" architecture prevents these files from being executed on our servers, the underlying vulnerability that allows uploads via the Magento REST API remains active. Until Adobe releases a formal patch, we recommend following the mitigation steps below to ensure uploaded files remain neutralized.

  ---

  
  
  At JetRails, we are closely monitoring the "Polyshell" attack vector recently detailed by Sansec. This advisory provides a clear breakdown of the risk and how to determine if your specific Magento configuration is affected.

  ---

  What is the Magento Polyshell?

  In simple terms, a Polyshell is a malicious script disguised as a harmless image. An attacker attempts to upload this file through a storefront's Custom Product Options (specifically the "File" upload type). Once uploaded, the attacker tries to execute the hidden code to gain control of the server.

  The Bottom Line:

  • If you do not use "File" type custom options for any products, you are not affected.

  • If you do use file uploads for products, you must wait for an official patch, as blocking the upload path will prevent your customers from placing orders.

  • The exploit can be triggered on products without custom options; just a random SKU is enough.

  The JetRails Safeguard

  JetRails customers benefit from a "Secure by Default" architecture. Regardless of whether you use custom options:

  • Execution Blocking: Our server configurations are designed to block the execution of arbitrary files within media and upload directories.

  • Neutralization: Even if a Polyshell is successfully uploaded, it is stored as a static file. Our environment prevents the server from "running" the code hidden inside it.

  ---

  How to Check if You Are Affected

  To confirm if your store uses the "File" upload custom option, run the following SQL query against your database. This will list any products currently configured to accept file uploads from customers:

  SELECT 
      cpe.sku AS product_sku, 
      cpot.title AS option_title, 
      cpo.type AS option_type
  FROM catalog_product_option cpo
  JOIN catalog_product_entity cpe 
      ON cpo.product_id = cpe.entity_id
  LEFT JOIN catalog_product_option_title cpot 
      ON cpo.option_id = cpot.option_id AND cpot.store_id = 0
  WHERE cpo.type = 'file';

  ---

  Recommended Mitigation Strategies

  Scenario A: You DO NOT Use Product File Uploads

  If the query above returns no results, for additional security, you can block the /media/custom_options/ directory. This adds an extra layer of "Edge" security.

  1. Cloudflare WAF Configuration: To block these requests at the edge:

  1. Log in to your Cloudflare Dashboard.

  2. Navigate to Security > WAF > Custom rules.

  3. Click Create rule.

  4. Set the Rule name to "Block Polyshell Upload Path".

  5. Under When incoming requests match, set:

     • Field: URI Path | Operator: equals | Value: /media/custom_options/

     • Click And

     • Field: Request Method | Operator: equals | Value: POST

  6. Under Then take action, select Block.

  7. Click Deploy.

  2. Nginx Configuration Block To ensure the server itself rejects these requests, the following can be added to your Nginx configuration:

  location ~* ^/media/custom_options/ {
      deny all;
  }

  Scenario B: You DO Use Product File Uploads

  If you require these uploads for your business, do not apply the blocks mentioned above, as they will break your store's functionality.

  1. Rely on JetRails: Our server-level restrictions are already in place to prevent uploaded files from being executed.

  2. Apply Patches: Monitor Adobe/Magento for an official security patch to address the underlying validation logic.

  ---

  [!IMPORTANT] Need Assistance? The JetRails team is here to help. If you would like us to verify your database, implement the Nginx block, or configure the Cloudflare WAF rule for you, please reach out to our support team.

• NGINX Rule for Blocking Access to upload

  To block access to the Magento upload directory to mitigate CVE-2025-54236, add the following snippet to your NGINX configuration.

  location ~* /(index.php/|)customer/address_file/upload {
      deny all;
  }

  To further protect the environment, it's recommended to remove write access to pub/media/customer_address/.

  Delete existing files and remove write access to the pub/media/customer_address/ directory.

  rm -rf pub/media/customer_address/*
  find pub/media/customer_address -type f -exec chmod a-w {} \;
  find pub/media/customer_address -type d -exec chmod a-w {} \;

• Do I need a staging server?

  Having separate servers for staging and production environments is a common practice in software development and deployment. Here's why it's beneficial:

  1. Isolation of Environments:

     • Staging Server: This is a replica of the production environment where developers and testers can safely test new features, updates, and configurations. It allows them to identify and fix any issues without affecting the live environment.
     • Production Server: This is the live environment where end-users interact with the application. Any downtime or issues here can have serious consequences, such as loss of revenue or user trust.

  2. Risk Mitigation: By testing in a staging environment, you reduce the risk of introducing bugs, performance issues, or security vulnerabilities into the production environment. This ensures that only stable and thoroughly tested code is deployed to production.

  3. Controlled Rollouts: With separate servers, you can perform controlled rollouts. New features can be gradually introduced in the staging environment, tested, and then deployed to production with confidence.

  4. Testing in a Production-like Environment: The staging server should closely mimic the production environment in terms of configuration, data, and usage patterns. This allows for more accurate testing, ensuring that the behavior of the application in staging will closely resemble its behavior in production.

  5. Data Integrity and Security: Production servers typically handle real user data, which needs to be protected. By keeping staging separate, you can avoid exposing sensitive data during testing. Staging environments often use anonymized or test data to maintain security and privacy.

  6. Continuous Integration/Continuous Deployment (CI/CD): In CI/CD pipelines, separate servers are crucial for automated testing and deployment. The pipeline can automatically deploy to staging for testing and then promote the tested code to production, streamlining the development process.

  7. Rollback and Recovery: If something goes wrong in production, having a separate staging environment allows you to quickly roll back to a previous stable version or diagnose and fix the issue without affecting the live system.

  In summary, separate staging and production servers help ensure that the live environment remains stable, secure, and performant while allowing for thorough testing and risk management in a controlled setting.

• Using jrctl To Perform Privileged Actions

  About

  The JetRails jrctl tool provides access to unprivileged (non root) users to make changes to the firewall and grants ability to restart system services. With access to jrctl, your team has access to commonly needed tools without escalating to server admins.

  Interacting with the firewall

  You can use jrctl to interact with a server’s firewall. This is helpful when reviewing existing firewall entries and whitelisting/blocking IPs. 

  Listing firewall entries

  Run the following command to list current firewall entries for all configured servers (standalone servers and clusters) in your deployment:

  $ jrctl firewall list
  
  SERVER RESPONSE
  127.0.0.1 Found 0 whitelist entries.
  
  No firewall entries found.

  Allowing new IP

  To whitelist a developer or admin user’s IP address 1.1.1.1 to your server/cluster on web ports 80 and 443:

  $ jrctl firewall allow -a 1.1.1.1 -p 80,443
  
  Executed only on "localhost" server(s):
  
  SERVER RESPONSE
  127.0.0.1 Successfully added allow entry for 1.1.1.1 on ports [80 443].

  Notice that the SERVER field lists 127.0.0.1 which means that jrctl is interacting with the local server. If you were managing a cluster, it would display the IP addresses of the systems which are being modified.

  After making changes, you should also check to make sure the changes made are in place. We will do so by listing the current firewall entries again:

  $ jrctl firewall list
  
  SERVER RESPONSE
  127.0.0.1 Found 2 whitelist entries.
  
  SERVER ACTION IPV4/CIDR PORT(S) PROTOCOL(S) COMMENT
  127.0.0.1 ALLOW 1.1.1.1 80 tcp "None"
  127.0.0.1 ALLOW 1.1.1.1 443 tcp "None"

  Note: Notice that there are two entries created, one for every port.

  Disallowing existing IP

  You may find that you need to remove a previously allowed user’s access to your deployment. This might happen if a developer no longer works on your site, or an admin user is no longer working for the company. Below is an example that will unallow1.1.1.1 on www ports 80 and 443.

  $ jrctl firewall unallow -a 1.1.1.1 -p 80
  
  Executed only on "localhost" server(s):
  
  SERVER RESPONSE
  127.0.0.1 Successfully removed allow entry for 1.1.1.1 on ports 80.
  
  $ jrctl firewall unallow -a 1.1.1.1 -p 443
  
  Executed only on "localhost" server(s):
  
  SERVER RESPONSE
  127.0.0.1 Successfully removed allow entry for 1.1.1.1 on ports 443.

  Again, when making changes to the firewall, we recommend to list the current rules before and after making changes. Following the aforementioned advice, you can see that there are no more entries in place.

  $ jrctl firewall list
  
  SERVER RESPONSE
  127.0.0.1 Found 0 whitelist entries.
  
  No firewall entries found.

  Additional abilities: Deny and Undeny

  We just showed how you use the allow and unallow commands. You may also use the deny and undeny commands in a similar way. Since most servers are setup with the firewall being deny-all-first, these commands will be used rarely.

  Allowing Cloudflare IP blocks

  Finally, if your site is behind Cloudflare, you need to give server access to Cloudflare’s IP addresses. You can manually download the list of IP addresses that Cloudflare provides, or you can do it with jrctl. You can simply allow all of Cloudflare’s IPs by running the following:

  $ jrctl firewall allow cloudflare
  
  Executed only on "localhost" server(s):
  
  SERVER RESPONSE
  127.0.0.1 Allowed 30 new Cloudflare IP(s).

  Just as easily, you can remove those entries with the following command:

  $ jrctl firewall unallow cloudflare
  
  Executed only on "localhost" server(s):
  
  SERVER RESPONSE
  127.0.0.1 Un-Allowed 30 Cloudflare IP(s).

  Restarting services

  Once configured, jrctl has the ability to restart services on the local server as well as on an entire Tier of service such as Web Tier, Caching Tier, SQL Tier, etc. This is an advanced configuration which needs to be configured by the JetRails support team.

  When pushing site changes, occasionally some services may need to be restarted in order to view the change on your live or dev site. You can run the following command to show what services are available to be restarted on your server or cluster:

  $ jrctl service list
  
  Filtering servers that match the following type(s): localhost
  
  HOSTNAME SERVER TYPE(S) RESPONSE
  foo.jetrails.com 127.0.0.1 localhost found 4 service(s)
  bar.jetrails.com 127.0.0.2 db found 4 service(s)
  
  HOSTNAME SERVICE STATUS RESTART RELOAD ENABLE DISABLE
  foo.jetrails.com nginx enabled ✔ ✔ ✔ ✔
  foo.jetrails.com php-fpm-7.1 enabled ✔ ✔ ✔ ✔
  foo.jetrails.com php-fpm-7.2 disabled ✔ ✔ ✔ ✔
  bar.jetrails.com mysql disabled ✔ ✔ ✔ ✔

  Restarting services is common practice for when changes need to be made, not only to the environment but also to your website. Below is an example of how to restart php-fpm-7.2 and nginx.

  You are allowed to restart more than one service at a time. Services will be restarted in the order in which they are listed. In this example, php-fpm-7.2 will be restarted first, followed by nginx.

  $ jrctl service restart php-fpm-7.2 nginx
  
  Filtering servers that match the following type(s): localhost
  
  SERVER SERVICE RESPONSE
  127.0.0.1 php-fpm-7.2 successfully restarted "php-fpm-7.2"
  127.0.0.1 nginx successfully restarted "nginx"

  Note: Specifying duplicate arguments to the restart command will restart those services again and execution will occur in the order that said arguments appear in.

  Running security audit

  This functionality gives you the ability to view all SSH activity that occurs on your servers. In addition, the report returns a list of firewall rules that are active on your servers. This report captures information on who, when, where, and how the server(s) were accessed. As a way to keep your servers and sites compliant and secure, it is recommended to regularly review users and connections on your servers. You can access this report by running the following command:

  $ jrctl report audit

  One-Time Secret

  Share sensitive information such as passwords and keys securely via our One-Time Secret service. This service allows users to (optionally) password protect sensitive information and encrypt it during transfer. A unique link is generated to distribute the secret. Once the secret is opened once, it is “burned” and no longer available to view again. If the secret is never viewed, it expires by itself.

  The JetRails team does not have a way to view, or recover, or decrypt your secret payload! Be sure you have a copy of whatever you are sending.

  Additional information

  The jrctl CLI tool is available and accessible through your jump host server. If you have any questions, please reach out to a member of our support team. Also see Using jrctl In Clustered Environments