New patch supee-6788 how to apply patch
https://magento.stackexchange.com//questions/88970
-
13-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
After weeks of waiting for the patch today (27.10.2015) it was released: SUPEE-6788
A lot of things were patched and also is encouraged to review installed modules for possible vulnerabilities.
I open this post in order to get some insights about how to apply the patch. What are the steps to apply the patch? To my understanding this are the steps:
- Fix modules with admin functionality that is not under the admin URL
- Fix modules that use SQL statements as field names or escape fields
- White list blocks or directives that uses variables like
{{config path=”web/unsecure/base_url”}}and{{bloc type=rss/order_new}} - Addressing potential Exploit with Custom Option File Type (no idea how to do this)
- Apply the patch
Is this the correct procedure?
Solution
In general, you can apply the patch as all previous ones. Have a look at the official documentation and check this SE post. But yes, there are some additional points you should check when applying this patch. Byte/Hypernode has a nice post about it.
- Check if your theme has a custom
template/customer/form/register.phtmlor customtemplate/persistent/customer/form/register.phtml. If this is the case, make sure that it includes aform_key. - Check if your theme has a custom
layout/customer.xml. If this is the case, make sure to apply the necessary changes from the patch (customer_account_resetpasswordhas been changed tocustomer_account_changeforgotten). - Do you use non-standard variables in CMS pages, static blocks or email templates? Then make sure that you whitelist them. See this SE question to learn how to whitelist variables/blocks.
- Do you run the
cron.phpvia HTTP? Make sure that you better usecron.sh. If this is not possible, at least make sure that you call cron.php via CLI PHP. If for some reason you can not configure a real cronjob and need to run it via HTTP, see this SE question - Make sure that all your extensions use the "new" admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at this related SE question.
- When all your extensions use the proper admin routing, make sure to disable "Enable Admin routing compatibility mode" under System - Configuration - Admin - Security.
- If you use M2ePro, update it to the latest version since old versions do not work with the new patch.
When updating, make sure that you delete the file dev/tests/functional/.htaccess. It is not present any more in Magento 1.9.2.2. Keeping it means you are still vulnerable.
In any case, check your page with MageReport after updating to see if everything went well.
There is also a technical blog post by Piotr, which describes the critical changes.
OTHER TIPS
There is a check file which helps you to identify issues: https://github.com/gaiterjones/magento-appsec-file-check
I made a CLI script out of it. https://github.com/Schrank/magento-appsec-file-check
For Nginx, make sure you block access to cron.php and the dev folder. We use this block:
location ~ ^/(app|includes|media/downloadable|pkginfo|report/config.xml|var|magmi|cron.php|dev)/? { deny all; }
I just applied the patch on my 1.10.1 EE and this causes side effects on native screens because the core is not APPSEC-1063 compliant:
Example:
In app/code/core/Mage/Customer/Model/Entity/Attribute/Collection.php
You can find 2 addFieldToFilter calls not APPSEC-1063 compliant.
This is breaking the Customer > Attribute grids, so you have to patch the patch, using the trick they recommend in the pdf "SUPEE-6788-Technical%20Details%20.pdf" in APPSEC-1063 section
Changing the several
$this->addFieldToFilter($field, 0);
(where $field contains complex (CASE .. WHEN THEN...) sql statements )
into
$resultCondition = $this->_getConditionSql($field, 0); $this->_select->where($resultCondition);
Both rhoerr's supee-6788-toolbox and gaiterjones' didn't detect this kind of issues, I checked all the others ->addFieldToFilter($ and none seem to be causing the issue.
Other affected 1.10 core files: (found by rhoerr's supee-6788-toolbox)
app/code/core/Mage/Bundle/Model/Mysql4/Option/Collection.php
There may be more.
