Tips to resolve the installation issues of Magento Security Patch - SUPEE-6788

How to address installation issues of Magento Security Patch - SUPEE-6788?

Magento has recently launched SUPEE-6788 security patch. However, it, along with Magento Enterprise Edition 1.14.2.2, Community Edition 1.9.2.2, faces some security issues. Here we would like to share with you the details of solving installation issues of SUPEE-6788. However, when you try to solve those issues, it will cause some irrevocable changes in compatibility with customizations or extensions.

1. APPSEC 1034- bypassing custom admin URL

  • This is an important part of SUPEE-6788 which is disabled by default. You have to enable this for protecting non-default URLs against automated attacks. You need to change the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
  • You have to modify a module which has admin functionality but not under the admin URL (eg. http://domain.com/cartin24_module instead of http://domain.com/admin/cartin24_module)
  • etc/config.xml and every code line where they create links to the admin part of the module need to be changed.
  • Check the following config.xml file for an example.
<admin> 
<routers> 
<custom_module> 
<use>admin</use> <args> 
<module>custom_module</module> 
<frontName>custom_module</frontName> </args> 
</custom_module> 
</routers> 
</admin>

It has to be changed to:

<admin> 
 <routers> 
   <adminhtml> 
    <args> 
     <modules> 
     <custom_module after="Mage_Adminhtml">CustomModule_Adminhtml</custom_module> 
     </modules>
    </args> 
   </adminhtml> 
 </routers> 
</admin>

2. APPSEC-1063, this examines possible SQL injection

You need to modify modules using SQL statements as field names or escape fields. You can see examples of code that can be used no longer.

$collection->addFieldToFilter(‘(field1 – field2)’, array(‘eq’ => 3))
$collection->addFieldToFilter(‘`field`’, array(‘eq’ => 3))

Another challenge for developers is that they need to generate filter for corrections:

The following code:

$collection->addFieldToFilter('`field`', array('eq'=>3));

Should be changed to:

$collection->addFieldToFilter('field', array('eq'=>3));

The following code:

$collection->addFieldToFilter('(field1-field2)', array('eq'=>3));

needs to be changed to:

$expression = '(field1-field2)';
$condition = $this->_getConditionSql($expression, array('eq'=>3));
$this->_select->where(condition);

Developers can use the following code alternatively:

Class T extends Mage_Core_Model_Resource_Db_Collection_Abstract {
...
protected $_map = array('fields' => array(
    'condition' => '(field1 – field2)',
);
...
public function someMethod() {
    $this->addFieldToFilter('condition', array('eq' => 3));
}
...
}

Still struggle to implement the code patches correctly?

Need support to resolve the installation issues of Magento Security SUPEE 6788 Patches?

Contact us

3. APPSEC-1057- this part enables template processing method that allows access to private information:

  • Magento has included a whitelist of allowed blocks or directives. If you use variables like {{ config path = "web/unsecure/base_url" }} and {{ block type = rss /order_new }}
    in module or extensions, and the directives are not seen on this list, you will have to add them while installing database script. Then it may affect the extensions or custom codes that control content (example- blog).
  • See the complete list of allowed variables and blocks in the default installation:

Variables:

web/unsecure/base_url
web/secure/base_url
trans_email/ident_support/name
trans_email/ident_support/email
trans_email/ident_general/name
trans_email/ident_general/email
trans_email/ident_sales/name
trans_email/ident_sales/email
trans_email/ident_custom1/name
trans_email/ident_custom1/email
trans_email/ident_custom2/name
trans_email/ident_custom2/email
general/store_information/name
general/store_information/phone
general/store_information/address

Blocks:

core/template
catalog/product_new
enterprise_catalogevent/event_lister (in Magento Enterprise Edition)
  • Note: you can configure allowed variables and blocks in System > Permissions > Blocks and System > Permissions > Variables.
  • If your code uses some config variables or blocks, you need to create a data update script that adds variables or blocks to the white list tables:

'permission_variable'
'permission_block'

4. APPSEC-1079 - dealing with potential Exploit with Custom option file type

This will make changes in any customization using product custom options to save data as PHP object. Such methods cannot be used any longer.

5. APPSEC-1027, concerning Inadequate Security of Password Reset Process

When you make this change, it will affect the templates by adding form-key to customer registration page customer/form/register.phtml, persistent/customer/form/register.phtml and such changes to password forgotten page layout/customer.xml and template/customer/form/resetforgottenpassword.phtml. If you have to add customer registration or password forgotten template, ensure that you have added the key too.

Please check the patch source code for

<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey() ?>" />

Still struggle to implement the code patches correctly?

Need support to resolve the installation issues of Magento Security SUPEE 6788 Patches?

Contact us

Leave a Reply