Magento Security Patch SUPEE-6285

The Magento Security Patch SUPEE-6285 bundle of eight patches was released on July 7, 2015 to resolve multiple security issues. This patch is included in the latest Magento Commerce and Open Source editions. Vendors using older versions of Magento products should install this patch. Learn more about those issues and how to get this patch below.

Benefits of Magento Security Patch SUPEE-6285 Bundle

Security Patch SUPEE-6285 eight-patch bundle protects your store by updating several security issues, including:

  • Forgery in Magento Connect Leads (APPSEC-924)
  • RSS/Privilege Escalation Leaks (APPSEC-996)
  • Cross-site Scripting: Cart (APPSEC-1005)
  • Cross-site Scripting: Wishlist (APPSEC-1012)
  • Store Path Disclosure (APPSEC-847)
  • Broad Permissions on Log Files (APPSEC-802)
  • Cross-site Scripting: Admin (APPSEC-852)
  • Cross-site Scripting: Orders RSS (APPSEC-1012)

Release Information

The Magento Security Patch SUPEE-6285 eight-patch bundle was released to address security issues on multiple fronts. These attacks include using encoding errors of passwords, faulty validation of SOAP API requests, leaks by non-validated host headers, and more.

Forix urges developers to make use of industry security best practices. Developers should update their site regularly and stay up-to-date with new patches.

Installation

To download the Magento Security Patch SUPEE-6285 bundle:

  • Partners
    Partners need to navigate to their portal, choose Technical Resources, and click Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support and find the folder named “Security Patches – July 2015.”
  • Magento Commerce Edition Vendors
    Vendors running the Magento Commerce Edition need to access the My Account page, click Downloads, and look for Magento Commerce Edition > Support patches. Find the “Security Patches – July 2015” folder to download the latest patch. Upgrading to the most recent version of Commerce Edition provides the same protection.
  • Magento Open Source Edition Vendors
    Open Source Edition vendors should search on the download page for security patches to previous versions of Magento Open Source Edition (search for SUPEE-6285). Vendors choosing to upgrade to the most recent Open Source Edition do not need to install this patch bundle.

Issues Addressed

Here is a list of issues fixed in the Magento Security Patch SUPEE-6285 bundle.

  1. Cross-site Scripting Errors/Poisoning (APPSEC-1030) – Risk Rating: 9.3 Critical
    Non-validated host headers leak information, posing a risk to all customers as HTML or JavaScript code could be injected into that data. The attack allows a user to introduce a fraudulent credit card page form. This affects a limited set of specific server configurations for Commerce editions only.
  2. Cross-site Scripting: Gifting Registry (APPSEC-1022) – Risk Rating: 9.3 Critical
    Attackers can exploit vulnerabilities in cross-site scripting by attacking un-escaped search parameters to steal customer logins. This attack allows them to steal cookies and impersonate users. This affects Commerce editions only.
  3. SOAP API Autoloaded File Inclusion (APPSEC-1019) – Risk Rating: 6.5 Medium
    When a SOAP API request is incorrectly validated, an exploit exists that allows attackers to auto-load code to the servers. Hackers first login with API credentials. After that, if certain PHP versions and/or configuration settings are present, the attacker can load code remotely.
  4. SSRF Vulnerability in WSDL File (APPSEC-1020) – Risk Rating: 5.3 Medium
    Attackers can probe internal network resources or place remote files in the directory by exploiting the incorrect encoding present in the API passwords.

Get the Magento Security Patch SUPEE-6285 Bundle Today

Install the Magento Security Patch SUPEE-6285 bundle today to ensure maximum protection of your store’s website. Contact Forix to get help with your installation.

Resources:
https://magento.com/security/patches/supee-6285