Magento Security Advisory – Multiple Vulnerabilities Fixes Included in Patch Bundle SUPEE-6788
Released by Magento on 27th October, the SUPEE-6788 patch for Magento Enterprise and Community Edition includes fixes for following –
- Potential SQL injection
- Remote code execution
- Cross site scripting vulnerabilities
Patches for multiple critical vulnerabilities are included in this bundle. It’s recommended that Magento users running Magento Community Edition versions older than 184.108.40.206, and Magento Enterprise Edition versions older than 220.127.116.11 need to apply these new patches immediately.
Several Other Vulnerabilities Fixed By the Patch Bundle…
Admin Disclosure Vulnerability is not the only vulnerability fixed by the patch bundle. A number of other serious vulnerabilities causing probable exposure of sensitive data were fixed too and these include following –
- XSS scripting vulnerability – Improper escaping of error messages exposes them to XSS scripting attacks
- Remote code execution vulnerability – It’s very much possible for anyone to call the cron.php file. This may lead to remote code execution vulnerability if deployed in combination with other different vulnerabilities on the server.
- Account takeover threat – The password reset token may get leaked via the referer field as it’s passed with a GET request.
What Magento Users Needs to Do?
Compatibility with some Magento plugins may get broken due to the patches in the bundle. By default, few security features that were added by this patch have been disabled and so these need to be manually enabled.
For enabling these security features, the Admin Routing Compatibility Mode For Extensions option needs to be disabled. This mode is available under “Admin > Security” in the Magento Admin interface. So, Magento users should enable all such security features by following the navigation discussed before.
What We Suggest?
Our Magento experts strongly recommend applying SUPEE-6788 to Magento stores as soon as possible so that threats like exposure of user data and site takeover do not affect your Magento store.
We have noticed that the .htaccess files affected by the patch include .htaccess, htaccess.sample and dev/tests/functional/.htaccess. Also, we have noticed that modification in the htaccess files leads to patch failures.
According to our experts, Magento users need to verify the plugins compatibility by installing the patch in a robust test environment. Besides this, following is highly recommended –
- Update Incompatible plugins without delay
- Disable Admin Routing Compatibility Mode setting
In case the above mentioned setting remains enabled, your Magento store will get exposed to an Admin Disclosure Vulnerability. The Magento documentation includes detailed instructions for applying relevant patches to Magento and so the same can be referred as per requirement.
- Julia is Techarex Network’s Content Marketing Associate for Intuit products. She has worked as a B2B and Marketing Strategist for the last seven years, helping businesses with software implementation for Customer Service, CRM, and Email Marketing. Julia thrives in helping companies find the right software solution for their projects. Aside from his obvious passion for Marketing, Julia admits to being a foodie and travel enthusiast.
- MS Office2018.02.19Top 7 Reasons for SMBs to Get Managed Microsoft Office 365 Services
- QuickBooks2017.12.04Understanding the Nitty-Gritty of Collaborative Accounting
- QuickBooks2017.11.30Key Considerations Before You Convert Your Existing Company File for QuickBooks 2018
- Quickbooks Hosting2017.11.30How to Keep Your QuickBooks Network Secure with Remote Employees?