How to check which modules are affected by security patch SUPEE-6788

https://magento.stackexchange.com//questions/87214

13-12-2019
|

Question

On October 27, 2015, Magento has released security patch SUPEE-6788. According to the technical details, 4 APPSEC's that have been fixed require some rework in local and community modules:

APPSEC-1034, addressing bypassing custom admin URL (disabled by default)
APPSEC-1063, addressing possible SQL injection
APPSEC-1057, template processing method allows access to private information
APPSEC-1079, addressing potential exploit with custom option file type

I was wondering how to check which modules are affected by this security patch.

I came up with the following partial solution:

APPSEC-1034: search for <use>admin</use> in the config.xml of all local and community modules. I think this should list all modules affected by this issue.
APPSEC-1063: search for addFieldToFilter('( and addFieldToFilter('` in all PHP files of local and community modules. This is incomplete, as variables can also be used.
APPSEC-1057: search for {{config path= and {{block type= in all PHP files of local and community modules, and filter out all elements from the whitelist. This is incomplete, as it does not contain any template variables added by admins, however.
APPSEC-1079: no idea.

There is also a list of extensions that are vulnerable for APPSEC-1034 and APPSEC-1063 compiled by Peter Jaap Blaakmeer

Solution

SUPEE-6788 released and admin routing changes turned off by default. This means that the patch include the fix, but that it will be disabled when installed. This will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.

For enable admin routing capability for extensions after install the path go to Admin -> Advanced -> Admin -> Security.

Magento CE 1.4-1.6 patches are delayed and should be available in about one week!

SUPEE-6788 Resources list

Official details & download SUPEE-6788 - http://magento.com/security/patches/supee-6788 & https://www.magentocommerce.com/download
How to apply SUPEE-6788 discussion with useful tips - https://magento.meta.stackexchange.com/a/734/2282
Install SUPEE-6788 without SSH - https://magentary.com/kb/install-supee-6788-without-ssh/
SUPEE-6788 for CE 1.7.0.1 - 1.9.2.1 on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/CE
SUPEE-6788 for EE 1.12.x - 1.14.x on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/EE
SUPEE-6788 and Backward Compatibility - https://info2.magento.com/rs/318-XBX-392/images/SUPEE-6788-Technical%20Details.pdf
Community driven up to date list of Extensions that will break with SUPEE-6788 / Magento 1.9.2.2 / EE 1.14.2.2 - https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/htmlview?sle=true#gid=0
Helpful Magerun commands https://github.com/peterjaap/magerun-addons
- n98-magerun dev:template-var - Find non-whitelisted vars/blocks to be compatible with SUPEE-6788 and Magento 1.9.2.2
- n98-magerun.phar dev:old-admin-routing - Find extensions that use old-style admin routing (which is not compatible with SUPEE-6788 and Magento 1.9.2.2)
Check if store patched / affected - https://www.magereport.com/
Some of custom blocks on the front page have disappeared after patch install - APPSEC-1057 How to add variables or blocks to the white list tables & https://www.pinpointdesigns.co.uk/blog/magento-ce-patch-supee-6788-custom-blocks-issue/
Magento SUPEE-6788 Developer Toolbox - find and automatically resolve major problems from the patch https://github.com/rhoerr/supee-6788-toolbox
MageDownload CLI - A PHP tool to automate Magento release and patch downloads - https://github.com/steverobbins/magedownload-cli
How to whitelist template variables and blocks for SUPEE-6788 - https://gist.github.com/avoelkl/f99e95c8caad700aee9
Check Magento files for known appsec affected code - https://github.com/Schrank/magento-appsec-file-check
Common issues with SUPEE 6788 Magento patch installation - http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/
Performance improvement for Magento Patch SUPEE-6788 - https://github.com/EcomDev/SUPEE6788-PerformanceFix , https://gist.github.com/DimaSoroka/a3e567ddc39bd6a39c4e , Details - http://www.magecore.com/blog/news/performance-issues-magento-security-patch-supee-6788

OTHER TIPS

Along the lines of other comments about detecting conflicts, we at ParadoxLabs have created a script to track down everything affected by APPSEC-1034 (admin controllers) and APPSEC-1057 (whitelist). It will also attempt to fix any bad controllers, since that's a fairly precise and invasive change to make.

It doesn't cover APPSEC-1063 (SQL injection) or APPSEC-1079 (custom options), but it would be great if it could. Not sure how to detect those with any sort of precision. We're open to contributions.

https://github.com/rhoerr/supee-6788-toolbox

This php script might be useful in identifying Magento code affected by the proposed SUPEE-6788 patch.

This is in no way a foolproof security check for this patch, but might be useful to quickly scan your installation for the modules and code affected.

Install the script with

wget https://raw.githubusercontent.com/gaiterjones/magento-appsec-file-check/master/magento_appsec_file_check.php

edit the path to your Magento installation

$_magentoPath='/home/www/magento/';

run

php magento_appsec_file_check.php

Affected files will be displayed:

*** Magento security file check ***
[1] APPSEC-1034, addressing bypassing custom admin URL
2 effected files :
<use>admin</use> found in  app/code/community/Itabs/Debit/etc/config.xml
<use>admin</use> found in  app/code/core/Mage/Adminhtml/etc/config.xml


[2] APPSEC-1063, addressing possible SQL injection
2 effected files :
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/Model/Export/Abstract.php
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/controllers/Adminhtml/OrderController.php
collection->addFieldToFilter(' not found.
collection->addFieldToFilter('\` not found.
collection->addFieldToFilter('\` not found.


[3] APPSEC-1057, template processing method allows access to private information
{{config path= not found.
{{block type= not found.


***********************************

The script use grep to search Magento files for occurrences of the code that may possibly break backward compatibility with customizations or extensions when SUPEE-6788 is applied.

There is already a big list available with all the extensions that will break with SUPEE-6788

More info here: https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/edit#gid=0

The list of allowed variables, that can be processed via content filter, is bigger than was shown in the PDF:

+ trans_email/ident_support/name
+ trans_email/ident_support/email
web/unsecure/base_url
web/secure/base_url
trans_email/ident_general/name
+ trans_email/ident_general/email
trans_email/ident_sales/name
trans_email/ident_sales/email
trans_email/ident_custom1/name
trans_email/ident_custom1/email
trans_email/ident_custom2/name
trans_email/ident_custom2/email
general/store_information/name
general/store_information/phone
general/store_information/address

(I have added an + before the variables that were not described in the PDF)

The allowed blocks that can be processed via content filter are:

core/template
catalog/product_new

Licensed under: CC-BY-SA with attribution

Not affiliated with magento.stackexchange