Magento Security Patch 2.0.1 Update

The Magento Security Patch 2.0.1 Update was released on January 20, 2016 to fix multiple issues affecting users during the upgrade to Magento 2.0.0 or 2.0.1 products. This patch fixed Magento Commerce and Open Source editions. Customers should install this update immediately to restore complete operational capabilities. Read on for information about what was addressed and how you can get help installing.

Benefits of Magento Security Patch 2.0.1 Update

Security upgrades in Security Patch 2.0.1 fixed several issues to increase protection, including:

  • XSS in Backend Via User Name (APPSEC-1263)
  • Block Cache Exploit (APPSEC-1247)
  • Stored XSS in Comments (APPSEC-1239)
  • SQL Injection Via Layered Navigation (APPSEC-1294)
  • Order View Protection Code Vulnerability for Guests (APPSEC-1270)
  • XSS in Product Customization Features (APPSEC-1267)
  • Editing/Deleting Reviews With No Approval (APPSEC-1268)
  • CAPTCHA Bypass (APPSEC-1283)
  • Reflected XSS with Cookie Header (APPSEC-1255)
  • CSRF Line Item Cart Removal (APPSEC-1212)
  • Injected Code Stored in Database (APPSEC-1240)
  • Incorrect Filter (APPSEC-1282)

Release Information

Magento Security Patch 2.0.1 update fixes issues vendors faced when installing Magento 2.0.0 or 2.0.1 products from compressed archives, (e.g., .tar.gz, .zip, .bz2, etc.). Forix wants to assure customers that the core Magento software and security enhancements are unaffected.

Merchants who installed a Magento 2.0.0 or 2.0.1 product using other options were not affected and do not need to install this patch. Vendors who haven’t downloaded a Magento 2.0 product should skip to Magento 2.0.2 products.

Installation

Merchants who installed Magento 2.0.0 or 2.0.1 products using a compressed archive file should complete the following steps:

  • Magento Commerce or Open Source Edition 2.0.0 or 2.0.1 with PHP 5.6
    Customers should update the installer from a command line (e.g., type “composer update magento/magento-composer-installer”). After completing this step, use the Web Setup Wizard or a command line to complete the update to your Magento 2.0.0 or 2.0.1 products.
  • Magento Commerce or Open Source Edition 2.0.0 or 2.0.1 with PHP 7.0.2
    Customers need to install the MDVA-84 patch first. After this, use the command line to update the installer (e.g., type “composer update magento/magento-composer-installer”). Follow this step by using the Web Setup Wizard or a command line to complete the update for your Magento 2.0.0 or 2.0.1 products.

Issues Addressed

Risks addressed by Magento Security Patch 2.0.1 update:

  1. XSS in Backend Via User Name (APPSEC-1263) – Risk Rating: 9.3 (Critical)
    Previously, a customer could provide a user name containing JavaScript code during registration. This code could grant the customer an admin session or role.
  2. Block Cache Exploit (APPSEC-1247) – Risk Rating: 7.7 (High)
    A user gaining administrator permissions had access to CMS functionality, allowing them to view encrypted data stored in the cache. Some cases might allow a user to execute code.
  3. Stored XSS in Comments (APPSEC-1239) – Risk Rating: 7.5 (High)
    A user could add JavaScript code to an order comment, which is stored in the database. This code could allow a user to execute commands as an administrator.

Install the Magento Security Patch 2.0.1 Update Today

Forix recommends all vendors that installed a Magento 2.0.0 or 2.0.1 product from compressed archives install the Magento Security Patch 2.0.1 update immediately. Your site will enjoy full functionality and improved security. Forix guarantees the installation will be smooth and without issue. Upgrade today to correct your installation and get security updates.

Resources:
https://magento.com/security/patches/magento-201-security-update