SUPEE-8788 – A New Magento Security Patch

- Magento tips & tricks

Extendware Review Reminder Magento Extension Review; Extendware Review Reminder Magento Module Overview

There is already a post dedicated to Magento security patches in our blog. SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, and others are described here: Magento critical security patches. And since it includes too much information, we’ve decided to create a new one which sheds light on the latest patch – SUPEE-8788. The new security improvement is vital since it fixes lots of vulnerabilities. Although most of them haven’t been utilized in attacks, it’s not the reason to ignore SUPEE-8788.

So, what does the SUPEE-8788 Magento security patch do? It is mainly aimed at fixing Zend framework and payment vulnerabilities. Its next important goal is to ensure sessions are invalidated after a user logs out. Besides, the patch removes compatibility issues with SUPEE-1533 and SUPEE-3941 (both may be experienced in case of EE 1.13 and CE 1.8 or their earlier releases). We should also mention that the SUPEE-8788 Magento security patch resolves some checkout issues with 3rd party payment methods. There are 17 APPSEC updates included! Pay attention to the version of SUPEE-8788. Currently, there are SUPEE-8788 v1 and SUPEE-8788 v2.


  • Revert SUPEE-1533 (if it is installed).
  • Deploy SUPEE-3941 (if it is not installed).
  • Install SUPEE-8788 v2.

Note that the SUPEE-8788 security patch already includes SUPEE-1533, so you don’t have to reinstall it.

In case you’ve already insatlled SUPEE-8788 v1, you should revent it and then do the aforementioned actions.

Alternatively, you can use Automatic patch applying tool. Magento SUPEE-8788 Patcher automates the process required for applying the SUPEE-8788 security patch. Download the tool here.

Besides, you can update Magento to the latest version that already includes all patches.


The full list of SUPEE-8788 is posted on magento.stackexchange by Raphael at Digital Pianism. Below, you can see its short version.

  • Due to the Mage_Uploader module, the Flash support is now droped (there is no Mage_Adminhtml_Block_Media_Uploader, but there is Mage_Uploader_Block_Multiple instead of it).
  • Thus, the Mage_Downloadable module exists in refactored state. Now, it is able to handle the new non flash uploader. Mage_Uploader_Block_Single is used instead of templates as the upload block.
  • The following SWF files are deleted:

  • There is also an improvement related to the address deletion controller. It is protected with form key. Furthermore, everything happens from Mage_Customer_Block_Address_Book directly via the getDeleteUrl.
  • The same is about the wishlist item removal controller, but via the getRemoveUrl from Mage_Wishlist_Helper_Data
  • Paypal Express payment method has been revamped as well: the new user is created before processing the new quote.
  • The payment methods that use cURL/HTTP Client have been also changed (check StackExchange for further information).
  • Product picture max dimensions can be now changed in the config.

Useful Links

For further information, follow this link: Security Patch SUPEE-8788 – Possible Problems?.

Also check MageReport – a tool designed to scan your Magento store for known security vulnerabilities (such as online credit card skimming).

All patches can be downloaded here: Magento patches at Github.

Have any questions? Let us know in comments: our team or other readers will help you.