The SUPEE-6788 patch for Magento Community Edition and Magento Enterprise Edition includes fixes for potential SQL injection, remote code execution, and cross site scripting vulnerabilities.

On 27th October, Magento released the SUPEE-6788 bundle of patches, which can be downloaded here. The bundle includes patches for a number of critical vulnerabilities. Magento users running versions of Magento Community Edition older than 1.9.2.2, and versions of Magento Enterprise Edition older than 1.14.2.2 should apply the patches immediately.

It should be noted that one or more of the patches in the bundle may break compatibility with some Magento plugins. Some security features added by this patch are disabled by default and must be manually enabled. To enable these security features, Magento users must disable the Admin Routing Compatibility Mode For Extensions option, which is enabled by default, and which can be found in a new setting in the Magento Admin interface under “Admin > Security”.

Failure to disable this setting may leave your Magento store vulnerable to an Admin Disclosure Vulnerability, in which an attacker can force the showing of the admin panel login page by calling the module directly.

Magento advises that Magento users install the patch in a test environment to verify the compatibility of plugins. Incompatible plugins should be updated as soon as possible, and the Admin Routing Compatibility Mode setting disabled.

Full instructions for applying patches to Magento can be found in the Magento documentation.

Vulnerability Details

In addition to the Admin Disclosure Vulnerability, the patch bundle fixed several serious vulnerabilities that could result in the exposure of sensitive data. They include:

• An account takeover risk — because the password reset token is passed with a GET request and not cancelled, it may be possible for the token to be leaked through the referrer field.
• XSS scripting vulnerability — error messages are not properly escaped, making them vulnerable to XSS scripting attacks.
• Remote code execution vulnerability — the cron.php file can be called by anyone, resulting in a potential remote code vulnerability if used in combination with other vulnerabilities on the server.

See the release notes for more information.

SUPEE-6788 should be applied to Magento stores without delay to limit the potential exposure of user data and the risk of site takeover.

A Tip from Hostdedi Engineers

Hostdedi engineers have run into a few nuances with this particular patch. If you’re a developer and have had a chance to look at it, you’ve likely noticed that the patch affects a few .htaccess files:

[code].htaccess
.htaccess.sample
dev/tests/functional/.htaccess[/code]

.htaccess files are commonly edited for redirects and other server-side functionality. It’s likely that most Magento site administrators have already previous modified their main .htaccess file. With the strict nature of the official Magento patch scripts, we’ve experienced an alarming rate of patch failures because of modified .htaccess files or deleted sample/dev .htaccess files.

For Hostdedi managed hosting clients, we are treading carefully around this issue by stripping these new .htaccess files from the patch itself, and are then implementing those directives by hand.

This nuance will likely be important to keep in mind if you are applying this patch yourself.