New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-6788 Technical Details

October 27, 2015

Magento Enterprise Edition 1.14.2.2, Community Edition 1.9.2.2 and the patch bundle SUPEE-6788 address several security issues. Unfortunately, addressing these issues required some changes that may possibly break backward compatibility with customizations or extensions. Below you will find a list of changes and potential issues that may arise:

APPSEC-1034, addressing bypassing custom admin URL

  • Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.

  • If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)

  • Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.

  • For example the following config.xml file for a module:

<admin>
    <routers>
        <custom_module>
            <use>admin</use>
            <args>
                <module>custom_module</module>
                <frontName>custom_module</frontName>
            </args>
        </custom_module>
    </routers>
</admin>
  • Should be changed to:

<admin>
    <routers>
        <adminhtml>
            <args>
                <modules>
                    <custom_module after="Mage_Adminhtml">CustomModule_Adminhtml</custom_module>
                </modules>
            </args>
        </adminhtml>
    </routers>
</admin>

APPSEC-1063, addressing possible SQL injection

  • Modules that use SQL statements as field names or escape fields manually will need to be modified. Examples of code that is no longer allowed:

$collection->addFieldToFilter(‘(field1 – field2)’, array(‘eq’ => 3))

$collection->addFieldToFilter(‘`field`’, array(‘eq’ => 3))
  • Developers will need to change the way they generate filters for collections.

  • The following code:

$collection->addFieldToFilter('`field`', array('eq'=>3)); 
  • Should be changed to:

$collection->addFieldToFilter('field', array('eq'=>3));
  • The following code:

$collection->addFieldToFilter('(field1-field2)', array('eq'=>3));
  • Should be changed to:

$expression = '(field1-field2)';
$condition = $this->_getConditionSql($expression, array('eq'=>3));
$this->_select->where(condition);
  • The following approach could be used alternatively:

Class T extends Mage_Core_Model_Resource_Db_Collection_Abstract {
...
protected $_map = array('fields' => array(
    'condition' => '(field1 – field2)',
);
...
public function someMethod() {
    $this->addFieldToFilter('condition', array('eq' => 3));
}
...
}

APPSEC-1057, template processing method allows access to private information:

  • Magento now includes a white list of allowed blocks or directives. If a module or extension uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script. Extensions or custom code that handles content (like blog extensions) might be affected.

  • A full list of allowed variables and blocks in the default installation is:

Variables:

web/unsecure/base_url

web/secure/base_url

trans_email/ident_support/name

trans_email/ident_support/email

trans_email/ident_general/name

trans_email/ident_general/email

trans_email/ident_sales/name

trans_email/ident_sales/email

trans_email/ident_custom1/name

trans_email/ident_custom1/email

trans_email/ident_custom2/name

trans_email/ident_custom2/email

general/store_information/name

general/store_information/phone

general/store_information/address

Blocks:

core/template
catalog/product_new
enterprise_catalogevent/event_lister (in Magento Enterprise Edition)
  • Note: you can configure allowed variables and blocks in System > Permissions > Blocks and System > Permissions > Variables.

  • If your code uses some config variables or blocks, you need to create a data update script that adds variables or blocks to the white list tables:

'permission_variable'
'permission_block'

APPSEC-1079, addressing potential Exploit with Custom Option File Type

  • This change will affect any customization that uses product custom options to save information as a PHP object. Such approach will no longer be possible.

APPSEC-1039/APPSEC-1228, Cross site scripting with error messages/CSRF/Session fixation

  • This change affects templates by adding form_key to customer registration page customer/form/register.phtml and persistent/customer/form/register.phtml. If your store includes customized registration page template, make sure to add this key there as well. Please refer to the patch source code for exact changes.

<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey() ?>" />

APPSEC-1027, Insufficient Protection of Password Reset Process

  • This change affects templates by changing form submission and adding token validation in password forgotten page. Files affected are layout/customer.xml and template/customer/form/resetforgottenpassword.phtml. If your store includes customized password forgotten template or layout, make sure to implement those changes there as well. Please refer to the patch source code for exact changes.