Magento Security Patch SUPEE-7405 Features & Issues

Magento released SUPEE-7405, its latest security patch, a few days ago. The implementation will change about 50 core files and cause many new issues. In this article we are trying to get you an overall analysis of the new patch.

What are the new features you can find in SUPEE-7405?
The changes on HTML templates are intended to keep XSS attacks away by preventing attackers from infusing client-side script into the website’s pages. New key validation are used at areas like Admin forgot password form, admin reset password form, shopping cart form, etc. This will enhance the XSS attack prevention. The changes will help servers to compare form-key with the ones generated before. Both values should match. Otherwise, the request won’t be considered for processing.

The names of the event in core configuration files were in uppercase in the older versions. It will be changed into lowercase. See the example given below:

controller_action_predispatch_customer_account_loginPost

becomes

controller_action_predispatch_customer_account_loginpost

But the event names in custom extensions won’t get influenced by this change.

Zend_XML_Securtiy has been introduced in a new form. This new version can do the scanning of XML content to find XXE attacks.

SUPEE-7405 will have a novel feature called ‘escaping CSV data’ in Magento export. This feature permits escape values in a CSV file while exporting.

In lib/Varien/File/Uploader.php the file permissions have been changed, and while uploading files or pictures through admin panel, you can’t find any read/write permissions. When you create a new file before implementing SUPEE-7405, there will be 0777 access permissions. But here 0660 will replace it.

There are a few changes connected to files’ permissions in lib/Varien/File/Uploader.php. Images and other files uploaded using admin panel are now have no read/write permissions. Previously, newly created files had 0777 access permissions:

chmod($destinationFile, 0777);

and it is changed to 0660

chmod($destinationFile, 0660);

The permissions for new directories will change from

mkdir($destinationFolder, 0777, true)

to

mkdir($destinationFolder, 0750, true)

Therefore world can’t write or read the newly created directories.

Inclusion of a different file type validation working with Zend_Validate_File_MimeType in the same class is another change. Favicons have got a new file types list.

protected function _getAllowedExtensions()
{
return array('ico', 'png', 'gif', 'jpg', 'jpeg', 'apng');
}

You can get a new image validator, Mage_Core_Model_File_Validator_Image, by installing SUPEE-7405.

admin_user_validate, a new event, in the patch will do admin user validation. It will start work when resetting admin password and a few other processes.

What are the issues you might face while implementing SUPEE-7405?

The implementation of every new patch will cause some troubles. It’s quite normal. What you need to do is to take some care to minimize the risk. In case of this patch, you must use PHP version 5.4.0. The new short format is compatible only with latest versions of PHP.

There might be a difficulty in logging into the admin panel immediately after the patch implementation. To resolve this issue, you have to take away every session file and remove other session storage types, and delete browser cookies.

This is just a quick analysis we have done after the launch of SUPEE-7405. We will do thorough research on this patch and publish the details on our blog shortly. Stay in tune with us for getting more updates.

Still struggle to implement the code patches correctly?

Need support to resolve the installation issues of Magento Security SUPEE 7405 Patches?

Contact us

Leave a Reply