Magento critical security patches SUPEE-6788, SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, SUPEE-3762, SUPEE-1533 (Shoplift)

- E-Commerce
 

Magento critical security patches

Shoplift is a dangerous Magento bug. It allows hackers to take e-commerce store under a full control. The threat was discovered by Check Point. You can easily fix it with the help of patch SUPEE-5344. A lot of Magento stores are still vulnerable, because they haven’t applied the patch yet. Below, you we show how to fix the problem.

UPD (15.05.15): SUPEE-5994 Magento security patch

 UPD (08.07.15): SUPEE-6285 Magento security patch

UPD (08.07.15): Magento Security Alert Registry

UPD (05.08.15): SUPEE-6482 Magento security patch

UPD (17.09.15): SUPEE-3762 Magento security patch

UPD (09.10.15): Magmi and Nginx

UPD (21.10.15): Guruincsite Magento Issue and SUPEE-6788 Magento security patch

UPD (24.11.15): Magento Security Patch SUPEE-6788 Performance Issues

UPD (28.01.16): SUPEE-7405 and SUPEE-7616

Unofficial but trustworthy FireGento Magento source mirror with all official Magento CE 1.7 – 1.9 critical patches included (SUPEE-5994, SUPEE-5344, SUPEE-1533)

Official guide to patch installation

All Magento security patches on GitHub

Magento Security Suite by Amasty

SUPEE-8788

We describe SUPEE-8788 Magento security patch here: SUPEE-8788 – A New Magento Security Patch.

SUPEE-7405 and SUPEE-7616

Magento Community Edition 1.9.2.3 has been released and we also got two new patches: SUPEE-7405 and SUPEE-7616. And while the new version of the platform offers an update to the USPS API, the patches improve the security of your Magento website.

As well as in case of some previous updates, there were no confirmed attacks caused by the new vulnerabilities, but they can be exploited to access some sensitive data – the same old song! Thus, we recommend you to install new patches or to update your ecommerce website to Magento Community 1.9.2.3.

SUPEE-7405 (Security Patch Bundle )

Instead of publishing a single security patch, Magento has published a bundle of patches dubbed SUPEE-7405. All of them are aimed at Magento 1.x resolve some security-related problems. For further information, check the official page of the Magento security patch here: SUPEE-7405.

SUPEE-7616 (USPS Patch)

As for SUPEE-7616, it is designed to prepare your store to revamped USPS conditions which include new services, rates, and package names. So, with the patch, you will get the following changes:

  • Retail Ground is now the name of Standard Post
  • Flat Rate Box for Priority Mail Express Eliminated

You can download bothe Magento security patches at the same location. You only should:

  • Go to the Magento CE download page.
  • Click the tab called Release Archive.
  • Find Magento Community Edition Patches.
  • Find the listing for SUPEE-7405.
  • Select your current Community Edition version.
  • Hit the Download button.
  • Follow further instructions.

Magento Security Patch SUPEE-6788 Performance Issues

The Magento Security Patch SUPEE-6788 causes some performance issues. Dima Soroka describes them in his article here: Performance Issues with Magento Security Patch SUPEE-6788. Furthermore, he offers a performance improvement for the patch: Performance improvement for Magento Patch SUPEE-6788.

Guruincsite Magento Issue and SUPEE-6788 Magento security patch

Guruincsite Magento Issue has been discovered recently. Thousands Magento websites are already vulnerable, so it is extremely important to check if your store is not infected. For further information about the problem, check this article: Guruincsite Magento Disaster.

To prevent your Magento website from the new disease, install a new security patch SUPEE-6788. Please note that the patch may provide an impact on your extensions. How to check which modules are affected by security patch SUPEE-6788; a list of extensions that won’t work 100% after SUPEE-6788.

SUPEE-6788 addresses more than 10 security issues, including such important problems as information leak and remote code execution vulnerabilities. Since the patch breaks backward compatibility and could change a way your extensions and customizations work, check the list of changes that may impact your Magento website.

The SUPEE-6788 Magento security patch is available for Magento Enterprise Edition 1.7+ and Magento Community Edition 1.4+. It is possible to upgrade your store to Magento Enterprise Edition 1.14.2.2 or Community Edition 1.9.2.2 to implement the patch. If you don’t want to upgrate your website, check the tutorial below.

Magento SUPEE-6788 Developer Toolbox – This script attempts to find and automatically resolve major problems from the patch. It does this in two stages: analyze, and fix.

How to download and install SUPEE-6788 Magento security patch

SUPEE-6788 requires all previous security patches to be installed.  you must first implement all previous security patches. This will ensure that the patch works properly.

If you are a Magento partner, go to the Partner Portal and select the following options: Technical Resources and Download on the Enterprise Edition panel. Then, go to Magento Enterprise Edition/Patches & Support and find the “Security Patches – October 2015” folder: SUPEE-6788 is located there.

If you are an Enterprise Edition merchant, open your account, go to the Downloads tab / Magento Enterprise Edition / Support Patches and find the “Security Patches – October 2015” folder.  Download and install SUPEE-6788.

If you are a Community Edition merchant visit the Community Edition download page and find the SUPEE-6788 Magento security patch there.

Although SUPEE-6788 has been released, admin routing changes are turned off by default. It means that the patch includes the fix, but that it will be disabled after you install it. As a result, you get additional time for making updates to your code. Note that Magento extensions and customizations should be updated in order to work with SUPEE-6788.

To enable the admin routing capability for extensions after install the patch go to Admin/Advanced/Admin/Security.

Resources necessary to master the SUPEE-6788 Magento security patch update

SUPEE-6788 Magento Security Patch Custom Blocks (and Variables) Issue

After installing the SUPEE-6788 Magento security patch, some custom blocks disappear from the front page, because Magento has added new restrictions in the blockDirective method with the security patch. You can find out if a block type that needs to be displayed is allowed inside a permission_block database table. A new code in Mage_Core_Model_Email_Template_Filter class checks if it exists in the table. In order to resolve the problem with custom blocks, which are not listed in permission_block and consequently will not be displayed, you should:

  • define your custom blocks used in the cms {{block}}directive
  • under System/Permissions/Blocks add your block type as allowed.

Now, you can open your “app/code/core/Mage/Core/Model/Email/Template/Filter.php” file in a text editor, find “public function blockDirective” somewhere around the 169th line, and add the following line

Thus, you will be able to log all blocks that Magento is checking:

Now, you only have to surf through all pages on your Magento website while block types will be automatically logged inside the var/log folder. Copy them and add to already allowed block types. The same is about variables, as they can be also affected by the SUPEE-6788 Magento security patch. Variables can be added under System/Permissions/Variables.

Plugins that use custom variables should be updated. Check the following example:

Sources: Pinpoint Designs and Magento Stackexchange

Magmi and Nginx

Magmi and Nginx are two new security vulnerabilities that have been discovered recently. Fortunately, you can easily fix them. Check this blog post – Beware of Nginx and Magmi Data Import Tool – for further information.

SUPEE-3762 Magento Security Patch: Denial of Service flaw

This bug crashes the whole shop when a specific API request is made. The affwcted versions of Magento are 1.9.0.0 and 1.9.0.1. The problem can be healed with SUPEE-3762:

You are redirected to /index.php/install from frontpage or get the following error:

quickly fix it by putting the following code on top of index.php (thanks to Ben Lessani):

SUPEE-6482 Magento Security Patch

A new Magento security patch called SUPEE-6482 has been released! This time it fixes 4 security issues related to APIs and cross-site scripting. Luckily, there are no victims of these bugs, so the patch is a preventive measure. The issues are described below.

  • Cross-site Scripting with Unvalidated Headers

This problem is possible only on a server with specific configurations. Since an unvalidated host header leaks into a page and an attacker can inject any HTML or JavaScript code adding fake forms for example, all store customers are under risk.

  • Autoloaded File Inclusion in Magento SOAP API

The issue causes code to be autoloaded. This happens because of SOAP API request incorrect validation. Again, the problem requires specific settings, but with appropriate conditions, attackers can load code remotely, as well as log in first with API credentials.

  • XSS in Gift Registry Search

This threat is aimed at registered users.  Attackers can thieve cookies and impersonate your customers.

  • SSRF Vulnerability in WSDL File

Due to incorrect encoding of API password, attackers are able to probe internal network resources as well as include remote files.

Magento security patches

Support

The SUPEE-6482 Magento security patch was designed for both Magento Community and Magento Enterprise Editions. Being part of Community Edition 1.9.2.1, it is supported by CE 1.4+.  For EE, the patch is available since 1.7 version of the platform. It will be embedded into Enterprise Edition 1.14.2.1.

Download

The SUPEE-6482 Magento security patch requires all previous security patches to be installed. Community Edition merchants can download the patch on the Community Edition download page, or upgrade to 1.9.2.1. Enterprise Edition merchants can find the improvement on My Account > Downloads tab, > Magento Enterprise Edition > Support Patches. There is also an ability to upgrade to 1.14.2.1.

SUPEE-6285 Magento Security Patch

The SUPEE-6285 Magento security patch introduces a new level of security. It fixes a weakness that has been recently found in Magento. Luckily, there are no ecommerce shops attacked owing to this issue, but it doesn’t mean you can delay the installation of SUPEE-6285. Deploy the patch immediately and you will provide your store with an additional security level.

First of all the SUPEE-6285 Magento security patch blocks attackers. It prevents them from getting an access to the orders feed. Thus, you preserve personal data. Then, the patch fixes a number of security gaps, such as a cross-site scripting and a request forgery, or vulnerabilities related to the error path disclosure.

The patch is available for Magento Enterprise Edition 1.9+ and Magento Community Edition 1.4.1-1.9.1.1.

Since the SUPEE-6285 Magento security patch is a part of Community Edition 1.9.2, you can easily fix all security problems by upgrading your ecommerce website to the latest version of the platform. The download link is here: Magento Community Edition 1.9.2.

Please note that SUPEE-6285 can be implemented only if SUPEE-5994 has been already installed on your website. To check if everything works as expected, use a development environment first.

The full list of SUPEE-6285 Magento security fixes

Since the SUPEE-6285 file consists of more than 1,100 lines of code, it provides lots of changes. The patch includes 350 additions and 100 removals. Thus, there are several strict requirements as well as possible errors. You can check all of them here.

And this is a detailed description of SUPEE-6285. If you don’t know how to install the patch, look at this guide.

If you don’t know whether your Magento version requires the SUPEE-6285 Magento security patch or any other previous improvement, check a Magento patch requirement/compatibility spreadsheet by John Knowles. It is available in Google Docs divided into two parts. The first one is related to Magento Enterprise Edition. The second part shows us patch requirements and compatibilities of Community Edition. Both provide information on all available patches, their release dates, compatibility with available versions of the platform, as well as an installation necessity. You can find the spreadsheet here.

Magento Security Patches

Magento Security Patch List

Download  SUPEE-6285

Magento Security Alert Registry

With Security Alert Registry, Magento introduces a new approach to safety. The new service is designed to inform you about all the latest vulnerabilities. Fill in a form and send your request here to get all the latest information related to the Magento security issues.

 

Security patches

SUPEE-5994 Magento Security Patch

Magento has released a new patch – SUPEE-5994. It’s aimed to fix the set of security problems and multiple bugs related to the safety of your e-commerce store.

All versions of Magento CE are impacted, that’s why it is extremely necessary to install SUPEE-5994 patch immediately.

The SUPEE-5994 Magento security patch should be installed after SUPEE-5344 – Shoplift patch.

Hit this link to download SUPEE-5994 security patch. It is available for CE 1.4.1– 1.9.1.1.

We strongly recommend you to start your work with the patch from a development environment. Before deploying it to a production site, don’t forget to make a backup.

___________________________________

Thousands of stores are not updated just because their owners are not informed, they lack of technical support, or their hosting does not provide SSH access. Of course, there are lots of other issues. Being a part of Magento community, we always try to take care of other dwellers of Magento ecosystem, so we share this information with you. We also hope, you will share it with other Magento members.

First of all, we recommend you to use this link – https://shoplift.byte.nl/ – it’s the source of main information about the problem. You will also find there some stats. The video below demonstrates Magento Remote Code Execution (RCE) Vulnerability

Use the below link to check, if your Magento store is affected: http://magento.com/security-patch

The good news is that Magento 1.9.1.1 already includes all patches (but not the recent SUPEE-5994 !). You can fix Shoplift by simply upgrading it to the latest version. Below you can find guides and how-tos on the upgrade:

  1. https://www.demacmedia.com/magento-commerce/magento-upgrade-guide/

  2. http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/manual_upgrade_using_fresh_install_and_original_database

  3. https://blog.amasty.com/how-to-upgrade-magento-version/

There is also a complete guide on patching other versions of Magento:

Or you can use this one:

Want to apply patches without SSH and use Core Diffs instead? Hit the below link http://magentary.com/kb/apply-supee-5344-and-supee-1533-without-ssh/

Another guide based on downloaded patched core files

The appropriate discussion on Magento Stack Exchange.  You can find all possible ways of patching there.

Hacked Magento reports / How to check if you Magento store is hacked

Check the below links to see Hacked Magento reports. You will learn how to check whether your store is hacked or not, and what to do, if the store is hacked after applying patches.

Issues and troubleshooting after patching

Some old versions of Magento (probably 1.7.x and 1.8.x) can have issues during applying the patch. We strongly recommend you to make backup of all files affected by patches (you can find them on the below links).

Hunk # FAILED

Hunk # FAILED – in most cases it means that you are using a wrong version of patch which is not suitable for the version of your Magento store, or you have some required server stuff missed. Check the below links to get more help.

However, this issue can also occur with the correct patch on Magento 1.8.x. To solve this problem, you should upload patched files manually (use the above links). And don’t forget to make backups of affected files!

Fatal error: Class Varien_Db_Adapter_Pdo_Mysql

Fatal error: Class Varien_Db_Adapter_Pdo_Mysql contains abstract methods and therefore it must be declared –  this issue often happens on old Magento versions (1.7.x) even if you use the correct patch. In that case we suggest to replace lib/Varien/Db/Adapter/Pdo/Mysql.php with a file from patch for more recent Magento version, such as 1.8-1.9 (we have successfuly fixed this error for our several MAgento 1.7 projects). Hit the below link to download the file

You should also check official Magento forum to get more information about the patch and update. Currently, there are a lot of appropriate discussions there:

More information on patch and advices to prevent Magento hacking

Class ‘Mage_Install_Controller_Router_Install’ not found

SUPEE-5994 Patch installation error (fails on lib/PEAR/)

If you have deleted /downloader, you can use a special Magento Security Patch SUPEE-5994 (Magento CE 1.6 – 1.9 / EE 1.11 – 1.14) WITHOUT DOWNLOADER PATCHES

How to check the latest patch version applied to Magento

First of all, you need an FTP access. Then you should check the app/etc/ directory. You can find applied.patches.list file there, which is added when the patch is applied. Being a diff file, the patch shows what it should change when you open it.  You should also check in the targeted file if it is changed.

Or you can use a Philwinkle_AppliedPatches Magento module. This tool provides you with the ability to check all applied patches right from the Magento admin. Philwinkle_AppliedPatches utilizes the aforementioned  applied.patches.list file to create a list of applied patches. The module doesn’t work, if you do not retain the aforementioned file or commit to source control. If the file is not readable by the web server user, Philwinkle_AppliedPatches also doesn’t work.

SUPEE-5994, SUPEE-5344, SUPEE-1533 patches

How to check the latest patch version applied to Magento

Philwinkle_AppliedPatches on GitHub

How to Install Magento via Composer with all security patches:

If you have any issues or errors while applying Magento core patches, or you have questions related to this topic, let us know in comments – we will try to help!