How to check which modules are affected by security patch SUPEE-6788
-
13-12-2019 - |
Question
On October 27, 2015, Magento has released security patch SUPEE-6788. According to the technical details, 4 APPSEC's that have been fixed require some rework in local and community modules:
- APPSEC-1034, addressing bypassing custom admin URL (disabled by default)
- APPSEC-1063, addressing possible SQL injection
- APPSEC-1057, template processing method allows access to private information
- APPSEC-1079, addressing potential exploit with custom option file type
I was wondering how to check which modules are affected by this security patch.
I came up with the following partial solution:
- APPSEC-1034: search for
<use>admin</use>
in the config.xml of all local and community modules. I think this should list all modules affected by this issue. - APPSEC-1063: search for
addFieldToFilter('(
andaddFieldToFilter('`
in all PHP files of local and community modules. This is incomplete, as variables can also be used. - APPSEC-1057: search for
{{config path=
and{{block type=
in all PHP files of local and community modules, and filter out all elements from the whitelist. This is incomplete, as it does not contain any template variables added by admins, however. - APPSEC-1079: no idea.
There is also a list of extensions that are vulnerable for APPSEC-1034 and APPSEC-1063 compiled by Peter Jaap Blaakmeer
Solution
SUPEE-6788 released and admin routing changes turned off by default. This means that the patch include the fix, but that it will be disabled when installed. This will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.
For enable admin routing capability for extensions after install the path go to Admin -> Advanced -> Admin -> Security.
Magento CE 1.4-1.6 patches are delayed and should be available in about one week!
SUPEE-6788 Resources list
Official details & download SUPEE-6788 - http://magento.com/security/patches/supee-6788 & https://www.magentocommerce.com/download
How to apply SUPEE-6788 discussion with useful tips - https://magento.meta.stackexchange.com/a/734/2282
Install SUPEE-6788 without SSH - https://magentary.com/kb/install-supee-6788-without-ssh/
SUPEE-6788 for CE 1.7.0.1 - 1.9.2.1 on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/CE
SUPEE-6788 for EE 1.12.x - 1.14.x on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/EE
SUPEE-6788 and Backward Compatibility - https://info2.magento.com/rs/318-XBX-392/images/SUPEE-6788-Technical%20Details.pdf
Community driven up to date list of Extensions that will break with SUPEE-6788 / Magento 1.9.2.2 / EE 1.14.2.2 - https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/htmlview?sle=true#gid=0
Helpful Magerun commands https://github.com/peterjaap/magerun-addons
- n98-magerun dev:template-var - Find non-whitelisted vars/blocks to be compatible with SUPEE-6788 and Magento 1.9.2.2
- n98-magerun.phar dev:old-admin-routing - Find extensions that use old-style admin routing (which is not compatible with SUPEE-6788 and Magento 1.9.2.2)
Check if store patched / affected - https://www.magereport.com/
Some of custom blocks on the front page have disappeared after patch install - APPSEC-1057 How to add variables or blocks to the white list tables & https://www.pinpointdesigns.co.uk/blog/magento-ce-patch-supee-6788-custom-blocks-issue/
Magento SUPEE-6788 Developer Toolbox - find and automatically resolve major problems from the patch https://github.com/rhoerr/supee-6788-toolbox
MageDownload CLI - A PHP tool to automate Magento release and patch downloads - https://github.com/steverobbins/magedownload-cli
How to whitelist template variables and blocks for SUPEE-6788 - https://gist.github.com/avoelkl/f99e95c8caad700aee9
Check Magento files for known appsec affected code - https://github.com/Schrank/magento-appsec-file-check
Common issues with SUPEE 6788 Magento patch installation - http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/
Performance improvement for Magento Patch SUPEE-6788 - https://github.com/EcomDev/SUPEE6788-PerformanceFix , https://gist.github.com/DimaSoroka/a3e567ddc39bd6a39c4e , Details - http://www.magecore.com/blog/news/performance-issues-magento-security-patch-supee-6788
OTHER TIPS
Along the lines of other comments about detecting conflicts, we at ParadoxLabs have created a script to track down everything affected by APPSEC-1034 (admin controllers) and APPSEC-1057 (whitelist). It will also attempt to fix any bad controllers, since that's a fairly precise and invasive change to make.
It doesn't cover APPSEC-1063 (SQL injection) or APPSEC-1079 (custom options), but it would be great if it could. Not sure how to detect those with any sort of precision. We're open to contributions.
This php script might be useful in identifying Magento code affected by the proposed SUPEE-6788 patch.
This is in no way a foolproof security check for this patch, but might be useful to quickly scan your installation for the modules and code affected.
Install the script with
wget https://raw.githubusercontent.com/gaiterjones/magento-appsec-file-check/master/magento_appsec_file_check.php
edit the path to your Magento installation
$_magentoPath='/home/www/magento/';
run
php magento_appsec_file_check.php
Affected files will be displayed:
*** Magento security file check ***
[1] APPSEC-1034, addressing bypassing custom admin URL
2 effected files :
<use>admin</use> found in app/code/community/Itabs/Debit/etc/config.xml
<use>admin</use> found in app/code/core/Mage/Adminhtml/etc/config.xml
[2] APPSEC-1063, addressing possible SQL injection
2 effected files :
collection->addFieldToFilter(' found in app/code/community/Itabs/Debit/Model/Export/Abstract.php
collection->addFieldToFilter(' found in app/code/community/Itabs/Debit/controllers/Adminhtml/OrderController.php
collection->addFieldToFilter(' not found.
collection->addFieldToFilter('\` not found.
collection->addFieldToFilter('\` not found.
[3] APPSEC-1057, template processing method allows access to private information
{{config path= not found.
{{block type= not found.
***********************************
The script use grep to search Magento files for occurrences of the code that may possibly break backward compatibility with customizations or extensions when SUPEE-6788 is applied.
There is already a big list available with all the extensions that will break with SUPEE-6788
More info here: https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/edit#gid=0
The list of allowed variables, that can be processed via content filter, is bigger than was shown in the PDF:
+ trans_email/ident_support/name
+ trans_email/ident_support/email
web/unsecure/base_url
web/secure/base_url
trans_email/ident_general/name
+ trans_email/ident_general/email
trans_email/ident_sales/name
trans_email/ident_sales/email
trans_email/ident_custom1/name
trans_email/ident_custom1/email
trans_email/ident_custom2/name
trans_email/ident_custom2/email
general/store_information/name
general/store_information/phone
general/store_information/address
(I have added an +
before the variables that were not described in the PDF)
The allowed blocks that can be processed via content filter are:
core/template
catalog/product_new