• Call Toll Free: 1-855-909-3300

Magento Security Advisory – Multiple Vulnerabilities Fixes Included in Patch Bundle SUPEE-6788

Released by Magento on 27th October, the SUPEE-6788 patch for Magento Enterprise and Community Edition includes fixes for following –

  • Potential SQL injection
  • Remote code execution
  • Cross site scripting vulnerabilities

Magento Security Advisory

Patches for multiple critical vulnerabilities are included in this bundle. It’s recommended that Magento users running Magento Community Edition versions older than, and Magento Enterprise Edition versions older than need to apply these new patches immediately.

Several Other Vulnerabilities Fixed By the Patch Bundle…

Admin Disclosure Vulnerability is not the only vulnerability fixed by the patch bundle. A number of other serious vulnerabilities causing probable exposure of sensitive data were fixed too and these include following –

  • XSS scripting vulnerability – Improper escaping of error messages exposes them to XSS scripting attacks
  • Remote code execution vulnerability – It’s very much possible for anyone to call the cron.php file. This may lead to remote code execution vulnerability if deployed in combination with other different vulnerabilities on the server.
  • Account takeover threat – The password reset token may get leaked via the referer field as it’s passed with a GET request.

What Magento Users Needs to Do?

Compatibility with some Magento plugins may get broken due to the patches in the bundle. By default, few security features that were added by this patch have been disabled and so these need to be manually enabled.

For enabling these security features, the Admin Routing Compatibility Mode For Extensions option needs to be disabled. This mode is available under “Admin > Security” in the Magento Admin interface. So, Magento users should enable all such security features by following the navigation discussed before.

What We Suggest?

Magento experts strongly recommend applying SUPEE-6788

Our Magento experts strongly recommend applying SUPEE-6788 to Magento stores as soon as possible so that threats like exposure of user data and site takeover do not affect your Magento store.

We have noticed that the .htaccess files affected by the patch include .htaccess, htaccess.sample and dev/tests/functional/.htaccess. Also, we have noticed that modification in the htaccess files leads to patch failures.

According to our experts, Magento users need to verify the plugins compatibility by installing the patch in a robust test environment. Besides this, following is highly recommended –

  • Update Incompatible plugins without delay
  • Disable Admin Routing Compatibility Mode setting

In case the above mentioned setting remains enabled, your Magento store will get exposed to an Admin Disclosure Vulnerability. The Magento documentation includes detailed instructions for applying relevant patches to Magento and so the same can be referred as per requirement.

Leave a Reply

Techarex NetWorks Products