SUPEE-8788 – A New Magento Security Patch
There is already a post dedicated to Magento security patches in our blog. SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, and others are described here: Magento critical security patches. And since it includes too much information, we’ve decided to create a new one which sheds light on the latest patch – SUPEE-8788. The new security improvement is vital since it fixes lots of vulnerabilities. Although most of them haven’t been utilized in attacks, it’s not the reason to ignore SUPEE-8788.
So, what does the SUPEE-8788 Magento security patch do? It is mainly aimed at fixing Zend framework and payment vulnerabilities. Its next important goal is to ensure sessions are invalidated after a user logs out. Besides, the patch removes compatibility issues with SUPEE-1533 and SUPEE-3941 (both may be experienced in case of EE 1.13 and CE 1.8 or their earlier releases). We should also mention that the SUPEE-8788 Magento security patch resolves some checkout issues with 3rd party payment methods. There are 17 APPSEC updates included! Pay attention to the version of SUPEE-8788. Currently, there are SUPEE-8788 v1 and SUPEE-8788 v2.
Installation
- Revert SUPEE-1533 (if it is installed).
- Deploy SUPEE-3941 (if it is not installed).
- Install SUPEE-8788 v2.
Note that the SUPEE-8788 security patch already includes SUPEE-1533, so you don’t have to reinstall it.
In case you’ve already insatlled SUPEE-8788 v1, you should revent it and then do the aforementioned actions.
Alternatively, you can use Automatic patch applying tool. Magento SUPEE-8788 Patcher automates the process required for applying the SUPEE-8788 security patch. Download the tool .
Besides, you can update Magento to the latest version that already includes all patches.
Details
The full list of SUPEE-8788 is posted on magento.stackexchange by . Below, you can see its short version.
- Due to the Mage_Uploader module, the Flash support is now droped (there is no Mage_Adminhtml_Block_Media_Uploader, but there is Mage_Uploader_Block_Multiple instead of it).
- Thus, the Mage_Downloadable module exists in refactored state. Now, it is able to handle the new non flash uploader. Mage_Uploader_Block_Single is used instead of templates as the upload block.
- The following SWF files are deleted:
|
1 2 3 |
skin/adminhtml/default/default/media/flex.swf skin/adminhtml/default/default/media/uploader.swf skin/adminhtml/default/default/media/uploaderSingle.swf |
- There is also an improvement related to the address deletion controller. It is protected with form key. Furthermore, everything happens from Mage_Customer_Block_Address_Book directly via the getDeleteUrl.
- The same is about the wishlist item removal controller, but via the getRemoveUrl from Mage_Wishlist_Helper_Data
- Paypal Express payment method has been revamped as well: the new user is created before processing the new quote.
- The payment methods that use cURL/HTTP Client have been also changed (check StackExchange for further information).
- Product picture max dimensions can be now changed in the config.
Useful Links
For further information, follow this link: .
Also check – a tool designed to scan your Magento store for known security vulnerabilities (such as online credit card skimming).
All patches can be downloaded here: .
Have any questions? Let us know in comments: our team or other readers will help you.
Related posts
Magento 2 Release Notes
Magento Open Source and Adobe Commerce 2.4.7 Release Notes
Amasty ChatGPT AI Content Generator for Magento 2
CopyAI Review 2023
Magento 2 B2B Company Guide: Revealing Company Structure & Import
How to Import Customers & Customer Addresses to Magento 2
How To Bulk Import Products In Shopify: CSV Description & Step-By-Step Guide
Reputon Amazon Importer Review: How to Connect Shopify to Amazon in a Few Clicks