On the 27st of October 2015, Magento released SUPEE-6788. This patch fixes 10 different security issues, notably an SQL injection fix.
With the release of patch SUPEE-6788 Magento also released a new Magento Community version: Magento Community Edition 18.104.22.168. This new version contains all latest Magento patches. Read more about updating Magento.
Table of contents
What are the risks?
At the moment, SUPEE-6788 has risk rating medium:
It is possible to steal secret stuff such as Paypal keys in certain circumstances.
It is possible to retrieve the secret back-end admin name and launch a brute force dictionary attack.
As of yet, there are no large scale attacks known, although some brute attacks on back-end panels are seen in the wild.
Update October 29th: a working exploit has been published that allows anyone to download secret files using the XXE technique. Emergency fix: if you cannot patch, you should verify that you run the latest version of libxml2 (Ubuntu, Redhat) OR disable the PHP SOAP extension OR block access to your API altogether.
How to install SUPEE-6788
In most cases this patch can be applied safely. However, as always, we recommend to test extensively on a testing/staging environment. Hypernode users can set-up a basic staging environment or order (temporarily) a Hypernode development plan.
Some parts of this patch are optional, because it breaks backward compatibility with many extensions. So Magento has made a switch in the back-end to enable this extra measure. The rest of the patch can be applied relatively safely. Take note of the following issues (that will only affect a small number of installs):
- Have a custom <code>customer/form/register.phtml</code> template? It will break if you don’t add a form_key.
- Do you use non-standard variables in CMS pages, static blocks or email templates? They need to be whitelisted.
- Do you run the Magento cron through HTTP are are you using Apache? There is a new access control on cron.php, so you should change the .htaccess to include your local IP, or (better yet) run the cron through commandline PHP.
All clear? Proceed!
Step 1 – Check if your extensions and modules are compatible!
While closing these bugs, Magento introduced several changes that are not backward compatible. This means that some shortcuts that extensions took, that used to work, now work no longer. We know a large amount of extensions and modules are not (yet) compatible with this patch, so implementing the patch could break your shop if that’s the case. We know that:
- Extentions that have ‘<use>admin</use>’ in their configuration, will break.
- Several specific variables are not allowed to be used anymore.
We did a quick check and discovered that 80% of the webshops on our Hypernode platform is using at least one extension that uses either one of these now deprecated functionalities.
There is a community effort that we are committing to that is creating a list of all known incompatible modules.
For more information and indept technical info, check this technical sheet provided by Magento itself.
Step 2 – Install the patch
Install the patch according to the generic patch installation instructions.
Step 3 – Increase security and disable compatibility mode
While closing these bugs, Magento introduced a change in admin routing that is not backwards compatible. A thorough analysis of our install base revealed that this affects 1886 unique extensions and effectively 80% of all installed shops. That is why Magento has introduced a compatibility mode which is activated by default. It is recommended to disable the compatibility mode, but first check if your modules are affected. Check for yourself: if you have extensions with
<use>admin</use> in their config.xml. they will likely break.
Find these modules with this command (run in a terminal or SSH):
grep -lr '<use>admin</use>' app/
There are several useful community-written tools and resources:
- n98-magerun plugin to detect incompatible plugins
- A great tool php command to analyze and bulk-fix extensions for admin-router and template variable incompatibilities
- a community-curated list of all known incompatible extensions
So to increase security, disable the “compatibility mode” here:
System > Config > Admin > Security > Admin routing compatibility mode for extensions
What is the risk of not doing this?
Hackers can find your secret admin frontname through external modules. Knowing the secret admin name enables a brute force dictionary attack. No abuse has been registered on a massive scale, but incidents are reported on a daily basis. So it is recommend to implement this measure (and do not use the default “admin” and “downloader” names).
We found out that there are several reasons why Patch 6788 comes out as uninstalled on Magereport.com, so we recommend you to check the following:
- When compilation is enabled in the backend of your Magento, SUPEE-6482 doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.
- Check if the patch is installed in the correct directory;
- Reload your opcode cache, webserver, PHP-FPM process and possible other caches. The old code might be still be active;
- Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;
- Using a Magento version older them Magento 22.214.171.124? Update to a more recent version. When patching Magento versions older then Magento 126.96.36.199, certain redirects aren’t added.
Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.