Magento Security Advisory – Multiple Vulnerabilities Fixes Included in Patch Bundle SUPEE-6788
Released by Magento on 27th October, the SUPEE-6788 patch for Magento Enterprise and Community Edition includes fixes for following –
- Potential SQL injection
- Remote code execution
- Cross site scripting vulnerabilities
Patches for multiple critical vulnerabilities are included in this bundle. It’s recommended that Magento users running Magento Community Edition versions older than 220.127.116.11, and Magento Enterprise Edition versions older than 18.104.22.168 need to apply these new patches immediately.
Several Other Vulnerabilities Fixed By the Patch Bundle…
Admin Disclosure Vulnerability is not the only vulnerability fixed by the patch bundle. A number of other serious vulnerabilities causing probable exposure of sensitive data were fixed too and these include following –
- XSS scripting vulnerability – Improper escaping of error messages exposes them to XSS scripting attacks
- Remote code execution vulnerability – It’s very much possible for anyone to call the cron.php file. This may lead to remote code execution vulnerability if deployed in combination with other different vulnerabilities on the server.
- Account takeover threat – The password reset token may get leaked via the referer field as it’s passed with a GET request.
What Magento Users Needs to Do?
Compatibility with some Magento plugins may get broken due to the patches in the bundle. By default, few security features that were added by this patch have been disabled and so these need to be manually enabled.
For enabling these security features, the Admin Routing Compatibility Mode For Extensions option needs to be disabled. This mode is available under “Admin > Security” in the Magento Admin interface. So, Magento users should enable all such security features by following the navigation discussed before.
What We Suggest?
Our Magento experts strongly recommend applying SUPEE-6788 to Magento stores as soon as possible so that threats like exposure of user data and site takeover do not affect your Magento store.
We have noticed that the .htaccess files affected by the patch include .htaccess, htaccess.sample and dev/tests/functional/.htaccess. Also, we have noticed that modification in the htaccess files leads to patch failures.
According to our experts, Magento users need to verify the plugins compatibility by installing the patch in a robust test environment. Besides this, following is highly recommended –
- Update Incompatible plugins without delay
- Disable Admin Routing Compatibility Mode setting
In case the above mentioned setting remains enabled, your Magento store will get exposed to an Admin Disclosure Vulnerability. The Magento documentation includes detailed instructions for applying relevant patches to Magento and so the same can be referred as per requirement.
- Microsoft Sharepoint2018.03.30How to Select the Best between SharePoint Server and SharePoint Online
- SharePoint Hosting2018.03.22Avoid SharePoint Compliance Risk by implementing a Robust Information Governance Plan
- Dedicated Hosting2018.03.20Guide to Selecting the Best between Office 365 Hosting and Hosted Exchange
- QuickBooks2018.03.07Boost Up Your Accounting Performance with Managed QuickBooks Support Services