Magento Security Patches
-
Security Patches
-
Security Updates and News
- Magento 2.2.6 and 2.1.15
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.16 and 2.1.9 Security Update
- SUPEE-6788 Technical Details
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- Magento 2.0.4 Security Update
- Magento 2.0.6 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- Magento 2.0.14 and 2.1.7 Security Update
Magento Security Patch SUPEE-6285
The Magento Security Patch SUPEE-6285 bundle of eight patches was released on July 7, 2015 to resolve multiple security issues. This patch is included in the latest Magento Commerce and Open Source editions. Vendors using older versions of Magento products should install this patch. Learn more about those issues and how to get this patch below.
Benefits of Magento Security Patch SUPEE-6285 Bundle
Security Patch SUPEE-6285 eight-patch bundle protects your store by updating several security issues, including:
- Forgery in Magento Connect Leads (APPSEC-924)
- RSS/Privilege Escalation Leaks (APPSEC-996)
- Cross-site Scripting: Cart (APPSEC-1005)
- Cross-site Scripting: Wishlist (APPSEC-1012)
- Store Path Disclosure (APPSEC-847)
- Broad Permissions on Log Files (APPSEC-802)
- Cross-site Scripting: Admin (APPSEC-852)
- Cross-site Scripting: Orders RSS (APPSEC-1012)
Release Information
The Magento Security Patch SUPEE-6285 eight-patch bundle was released to address security issues on multiple fronts. These attacks include using encoding errors of passwords, faulty validation of SOAP API requests, leaks by non-validated host headers, and more.
Forix urges developers to make use of industry security best practices. Developers should update their site regularly and stay up-to-date with new patches.
Installation
To download the Magento Security Patch SUPEE-6285 bundle:
- Partners
Partners need to navigate to their portal, choose Technical Resources, and click Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support and find the folder named “Security Patches – July 2015.”
- Magento Commerce Edition Vendors
Vendors running the Magento Commerce Edition need to access the My Account page, click Downloads, and look for Magento Commerce Edition > Support patches. Find the “Security Patches – July 2015” folder to download the latest patch. Upgrading to the most recent version of Commerce Edition provides the same protection.
- Magento Open Source Edition Vendors
Open Source Edition vendors should search on the download page for security patches to previous versions of Magento Open Source Edition (search for SUPEE-6285). Vendors choosing to upgrade to the most recent Open Source Edition do not need to install this patch bundle.
Issues Addressed
Here is a list of issues fixed in the Magento Security Patch SUPEE-6285 bundle.
- Cross-site Scripting Errors/Poisoning (APPSEC-1030) – Risk Rating: 9.3 Critical
Non-validated host headers leak information, posing a risk to all customers as HTML or JavaScript code could be injected into that data. The attack allows a user to introduce a fraudulent credit card page form. This affects a limited set of specific server configurations for Commerce editions only. - Cross-site Scripting: Gifting Registry (APPSEC-1022) – Risk Rating: 9.3 Critical
Attackers can exploit vulnerabilities in cross-site scripting by attacking un-escaped search parameters to steal customer logins. This attack allows them to steal cookies and impersonate users. This affects Commerce editions only. - SOAP API Autoloaded File Inclusion (APPSEC-1019) – Risk Rating: 6.5 Medium
When a SOAP API request is incorrectly validated, an exploit exists that allows attackers to auto-load code to the servers. Hackers first login with API credentials. After that, if certain PHP versions and/or configuration settings are present, the attacker can load code remotely. - SSRF Vulnerability in WSDL File (APPSEC-1020) – Risk Rating: 5.3 Medium
Attackers can probe internal network resources or place remote files in the directory by exploiting the incorrect encoding present in the API passwords.
Get the Magento Security Patch SUPEE-6285 Bundle Today
Install the Magento Security Patch SUPEE-6285 bundle today to ensure maximum protection of your store’s website. Contact Forix to get help with your installation.
Resources:
https://magento.com/security/patches/supee-6285