Magento Security Patch 9652 not detect

Question

As we know Magento release latest security patch 9652.

I have apply security patch on My server and check in https://www.magereport.com

but i can not find security patch is applied perfectly or not.

Can anyone know why its not display as green after we have applied security patch?

Thanks,

Answer 1

You can see the answer yourself in the screenshot you provided:

This patch cannot be detected from the outside, without hacking your shop.

Because the vulnerability is in the Zend frameworks handling of Sendmail, it is not possible for a website such as MageReport to detect if your installation is exposed.

To truly attempt to check for a vulnerability, the tester would have to directly attack your website and inspect the results, which MageReport will not do. As MageReport say in their FAQs:

Is it safe to run this test?

Yes. This site exclusively uses passive checks, ie they run in read-only mode and do not, in any way, modify your shop.

Unfortunately the only way to check if this patch is installed is to check the file itself.

Answer 2

You cannot check this patch by magereport.com.

because of, There are no Kb article for SUPEE- 9652 at Magereport like Supee 8788 (https://www.magereport.com/knowledgebase/how-to-apply-magento-8788) till now.So that we can understand SUPEE- 9652 applied or not at systsm

Only solution is that We need to check manually

Just goto lib/Zend/Mail/Transport/Sendmail.php

 diff --git lib/Zend/Mail/Transport/Sendmail.php lib/Zend/Mail/Transport/Sendmail.php
    index b24026b..9323f58 100644
    --- lib/Zend/Mail/Transport/Sendmail.php
    +++ lib/Zend/Mail/Transport/Sendmail.php
    @@ -119,14 +119,19 @@ class Zend_Mail_Transport_Sendmail extends Zend_Mail_Transport_Abstract
                     );
                 }

    -            set_error_handler(array($this, '_handleMailErrors'));
    -            $result = mail(
    -                $this->recipients,
    -                $this->_mail->getSubject(),
    -                $this->body,
    -                $this->header,
    -                $this->parameters);
    -            restore_error_handler();
    +            // Sanitize the From header
    +            if (!Zend_Validate::is(str_replace(' ', '', $this->parameters), 'EmailAddress')) {
    +                throw new Zend_Mail_Transport_Exception('Potential code injection in From header');
    +            } else {
    +                set_error_handler(array($this, '_handleMailErrors'));
    +                $result = mail(
    +                    $this->recipients,
    +                    $this->_mail->getSubject(),
    +                    $this->body,
    +                    $this->header,
    +                    $this->parameters);
    +                restore_error_handler();
    +            }
             }

             if ($this->_errstr !== null || !$result) {

So. more details about this patch by fellow

SecurityPatch 9652: Possible problems after SUPEE-9652 applied

Answer 3

Simply use SSH to check if your shop is patched

You can scan your site with magereport.com to see if a patch is installed or not. If a check comes up grey it’s possible the files that are needed for the check are relocated. Therefore it can’t see whether your shop is patched or not. No worries. Simply use SSH to check if your shop is patched.

Every check that’s been installed can easily be found in the content of your shop. More specifically it’s logged in app/etc/applied.patches.list

So you run this command 'grep' on SSH to access the list of applied security patches:

grep '|' app/etc/applied.patches.list

The output will look like this:

-e 2015-04-14 08:34:22 UTC | SUPEE-5344 | EE_1.14.1.0 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v1.14.1.0..HEAD

For More information kindly visit below URL:- https://support.hypernode.com/knowledgebase/how-to-apply-magento-patches/

Hope It's helpful for anyone.

Answer 4

Magereport keeps saying the security patch isn’t installed

We found out that there are several reasons why patches can come out as uninstalled on Magereport.com, so we recommend you to check the following:

When compilation is enabled in the backend of your Magento, the Magento patch doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.

Check if the patch is installed in the correct directory; Reload your opcode cache, webserver, php-fpm process and possible other caches. The old code might be still be active;

Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;

[SUPEE-6482-only] Using a Magento version older them Magento 1.6.1.0? Update to a more recent version. When patching Magento versions older then Magento 1.6.1.0, certain redirects aren’t added.

We hope one of the causes mentioned above can fix your problem. If not, we recommend you to hire a Magento specialist. Unfortunately we can’t help fixing these problems. We’re a hosting company that specializes in Magento hosting. Magento development however is a completely different specialty. A list of Magento developers per country can be found on Magereport.com.

Source: https://support.hypernode.com/knowledgebase/how-to-apply-magento-patches/