See Updates for new additional info
SUPEE-6788 is a bundle of patches for Magento. From the Magento Commerce website:
[SUPEE-6788] provides protection against several types of security-related issues, including remote code execution, information leaks and cross-site scripting.
## Why is it more complicated than previous patches?
Because when the patch is applied it will almost certainly break backward compatibility with Magento extensions.
The Magento community has put together a Google Sheets list of extensions that need to be updated:
https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg
Note: These are potentially incomplete methods, as some files will use variable names.
-
APPSEC-1034 Modules using an older form of admin routing are vulnerable to bypassing custom admin URL. To find affected files:
grep -r '<use>admin</use>' app/
What to do:
Change the code as stated at magento.com.
-
APPSEC-1063 Modules that use SQL statements as field names as they are vulnerable to SQL injection. To find affected files:
grep -r "addFieldToFilter('(" app/
andgrep -r "addFieldToFilter('\`" app/
What to do:
Change the code as stated at magento.com
-
APPSEC-1057 If you are using template procesing on CMS pages or emails, you need to add custom variables to a Magento whitelist, otherwise it wont be loaded. To find affected files:
grep -r "{{config path=" app/
andgrep -r "{{block type=" app/
What to do:
Add your variables to the Magento whitelist table in the databse, and your database installation script.
-
APPSEC-1079 You cannot save product custom options data as a PHP object.
This one is for custom code, there are no shortcuts.
- Download the patch from magentocommerce.com/download.
- Scroll down to "Magento Community Edition Patches"
- Find SUPEE-6788 and then download the
.sh
file for your version of Magento (mine is1.9.2.0
)
- Upload the patch to your Magento home folder.
!!! I would recommend (insist, even!) that you first install this on a local or development server, as a lot of your extensions will break !!!
-
Use can use cPanel or FTP or whatever, I use the command line
scp
command:scp ~/Downloads/PATCH_SUPEE-6788.....sh <user>@<server>:/magento/root
-
Now execute the bash file:
sh PATCH_SUPEE-6788.......sh
-
You should get output of the patched files
- Get the SUPEE 6788 Toolbox
-
Upload the file as before with
scp
or FTP, this time to the/shell
folder -
Run the analyse function
php -f shell/fixSUPEE6788.php -- analyze
-
Upgrade any extensions that you know have released an update due to SUPEE 6788.
-
Run
analyze
again and hopefully you have less results now that you have updated some extensions. Decide whether it's worthwhile to go through each file yourself, or run the script again with the-- fix
flag, which does it all for you.
-
The file modifies and moves files, so you may find that the Magento site is down (backend more likely). Just do the normal debugging process - check
var/logs/exception.log
. In my case one of the extension's admin routing was written over incorrectly, causing a 500 error on the backend. -
Run the
analyze
command again to see issues that couldn't be sorted. On my install I was lucky and there are no 'Affected Modules' and no 'Affected Files', but under 'Issues' I had some more work to do.-
There was one warning 'Unable to load configuration', which meant that one of the installed extensions didn't have a
config.xml
file inapp/code/local/<vendor>
. -
There are a few "Possible SQL Vulnerability" warnings, which relates to APPSEC-1063, but these were from an extension that I updated during this process, so were fine.
-
You can check your Magento store for known vulnerabilities at MageReport.com
See this StackOverflow for extra information or to ask questions
-
Although the technical details seem to suggest the reverse (I quote, "Note: This patch is disabled by default"), an option in
Config -> Advanced -> Admin -> Security
is set to enabled. You should turn this off. Note that this wont do anything if you're using the default/admin
login - in which case you should change it to a unique value to prevent brute force attacks. -
Some sources are saying that if you have custom forms then they could break if they don't have a
form_key
. Here is a source. This means that you need to edit your custom signup forms to add in a token. I tested it without and it seemed to work ok - but added theform_key
in just in case and will keep an eye on customer signups.
Thank you for that helpful article!