Technical Details for Magento Security Patch SUPEE-6788

The Magento Security Patch SUPEE-6788 was released on October 27, 2015 to repair multiple vulnerabilities revealed by recent attacks. The latest Magento Commerce and Open Source editions include this security patch. Vendors using older versions of Magento products should install this update to address several risks. Read on to learn more about this update’s technical details and tips for addressing potential issues.

Benefits of Magento Security Patch SUPEE-6788

Security Patch SUPEE-6788 provides protection against several security issues, including:

  • Bypassing Custom Admin URL (APPSEC-1034)
  • Possible SQL Injection (APPSEC-1063)
  • Template Processing Exploitation (APPSEC-1057)
  • Custom Option File Exploit (APPSEC-1079)
  • Cross-site Scripting Errors (APPSEC-1039/APPSEC-1228)
  • Password Reset Exploit (APPSEC-1027)

Release Information

Magento Security Patch SUPEE-6788 was released to fix multiple issues revealed in older versions of Magento products. This includes areas that expose encrypted data and grant administrator access to attackers. Installation may also cause compatibility issues with older Magento products.

Issues Addressed

To receive the full protection from the Magento Security Patch SUPEE-6788 update, here is a list of issues developers may face upon installation.

  1. Bypassing Custom Admin URL (APPSEC-1034)
    This aspect of the patch is disabled upon installation. Protecting non-default admin IRLs from attack, this must be enabled. Once activated, it changes the routing compatibility in the configuration.
    Developers should use “Enable Admin routing compatibility mode” in System > Configuration > Security. Any admin functionality not under this url will also require modification. Where developers create links to the module’s admin part, they will need to alter etc/config.xml and all code lines.
  2. Possible SQL Injection (APPSEC-1063)
    Any module using SQL statements for field names or manually modifying the escape field must be changed. Filter generation methods also must change.
  3. Template Processing Exploitation (APPSEC-1057)
    Magento comes with a pre-generated whitelist that allows blocks or directives. Some modules or extensions using specific variables like {{block type=rss/order_new}} on CMS pages/emails and the corresponding directives are not included in the default arrangement. To add them, developers should use their database installation script. Additionally, extension or proprietary code that handles content might experience issues.
    Developers may have to create a new data update script for code using config variables or blocks. To add variables or block, go to System > Permissions > Blocks and System > Permissions > Variables.
  4. Custom Option File Exploit (APPSEC-1079)
    Any modification using custom options to save data as a PHP object may be affected by this patch. This method is no longer usable in this suite.
  5. Cross-site Scripting Errors (APPSEC-1039/APPSEC-1228)
    The patch alters templates by adding form_key to the registration page. Vendors using a customized template for this page will need to add a special key, available in the patch source code, to those pages.
  6. Password Reset Exploit (APPSEC-1027)
    This patch changes form submission, potentially affecting templates. It also adds token validation to the forgot password page. The following files will be affected: layout/customer.xml and template/customer/form/resetforgottenpassword.phtml. Vendors using a customized templates or layouts for the forgot password page should reference the patch source code to add the correct key.

Upgrade/Download Magento Security Patch SUPEE-6788 Today

Forix recommends upgrading to the latest versions of Magento products or installing the Magento Security Patch SUPEE-6788 Update. Consult with patch code to ensure proper installation to protect your site against a series of new threats. Forix offers help for various issues that may arise during installation and has the knowledge and experience to guarantee a trouble-free installation.

Resources:
https://magento.com/security/patches/supee-6788-technical-details