Get Free Audit

Installing Magento Security Patch SUPEE-6788

Jan 13, 2016

716 Andrey Litvin

Installing Magento Security Patch SUPEE-6788

Magento security patch SUPEE-6788 released on the 27th of October 2015 fixes more than 10 security problems including remote execution and data leaks. It has been included in Magento 1.9.2.2. Unfortunately, at the same time as adding numerous fixes, it affects several extensions. So the best way to deal with these issues is to make a development copy of your site before installing the patch and install the patch there. You can find our more about it here.

Installation process.

At the beginning, the process is similar to the installation of previous patches:

  • Download the patch for a corresponding version of Magento. This version of Magento is displayed in the footer of admin panel.

Installing Magento Security Patch SUPEE-6788

  • Upload the file to website root on server.
  • Execute the command bash PATCH_SUPEE-6788_CE_<version number>.sh via SSH.

Note:

What to do if after the installation you had this error

Getting this error while applying SUPEE 6788 1 out of 1 hunk FAILED

Probably, changes have been implemented in .htaccess file (this file is often being modified). The patch changes this file and and this error can occur. In order to solve this issue, you need to rename the .htaccess file (new name can be something like .htaccess_old) and take the original file .htaccess from the corresponding version of Magento and download Magento archive https://www.magentocommerce.com/download, unpack it and upload the .htaccess file on server. After that, execute the command bash PATCH_SUPEE-6788_CE_<номер версии>.sh. If everything goes well, you need to merge changes from the patch in .htaccess_old. The .htaccess_old can contain important server settings and redirects. The patch will do the following changes:

###########################################

## Deny access to cron.php

   <Files cron.php>

############################################

## uncomment next lines to enable cron access with base HTTP authorization

## http://httpd.apache.org/docs/2.2/howto/auth.html

##

## Warning: .htpasswd file should be placed somewhere not accessible from the web.

## This is so that folks cannot download the password file.

## For example, if your documents are served out of /usr/local/apache/htdocs

## you might want to put the password file(s) in /usr/local/apache/.

       #AuthName “Cron auth”

       #AuthUserFile ../.htpasswd

       #AuthType basic

       #Require valid-user

############################################

       Order allow,deny

       Deny from all

</Files>

You need to add it to the bottom of the .htaccess_old file and make its name.htacсess again replacing original file with this name.

Then you need to make some specific fixes for this patch. The patch has the permission to access some blocks and variables. Now when you need to add a block to CMS page or email template, you need to do it in System > Permissions > Blocks or System > Permissions > Variables. It means after the patch is installed, you will realise that there are some blocks missing in emails and pages. You are lucky, because this problem can be solved automatically using the following script: https://github.com/rhoerr/supee-6788-toolbox. You’ll need to use only one file fixSUPEE6788.php. Justput it in the category <website root>/shell. Then execute the command php -f fixSUPEE6788.php — fixWhitelists. As a result you’ll get the following:

—- SUPEE-6788 Developer Toolbox by ParadoxLabs ——————

https://github.com/rhoerr/supee-6788-toolbox

Andrey_Dubina
Partner With Us Let's discuss how to grow your business. Get a Free Quote.
Talk to Andrey

Time: 2015-11-04T12:05:14+00:00

—- Searching for whitelist problems —————————–

Blocks that are not whitelisted:

catalog/product_list in cms_block=business

newsletter/subscribe in cms_block=header_slider

——————————————————————-

—- SUPEE-6788 Developer Toolbox by ParadoxLabs ——————

In Admin, the patch disables using those urls that don’t contain admin prefix. The list of extensions that use similar urls is relatively big. Probably, that’s why this fix is disabled by default and can be enabled in admin:

System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.

After you enable this option and enter a page of an extension that uses old urls for admin, you’ll see 404 error. It’s best to update these modules if the updates include fixes for SUPEE-6788 (module’s description should contain such information) and it’s easier if your modules are not customized. If there are no updates, you can use the script fixSUPEE6788.php. Unfortunately, the script fixSUPEE6788.php doesn’t always fix the module, that’s why it’s preferable to get an update from a developer. But in most cases the update makes the extension work correctly.

Execute the command php -f fixSUPEE6788.php — fix. As a result, we’ll see all changes that the script executes. It’s also saved in the file var/log/fixSUPEE6788-modules.log. At the end you can see the list of issues.

Issues:

MageWorx module route already includes _Adminhtml. Admin routes for the module will have to be fixed manually.

app/code/community/AW/Blog/controllers/Adminhtml does not exist! This module’s admin routes must be corrected manually.

POSSIBLE SQL VULNERABILITY:

app/code/local/Xtento/OrderExport/Model/Export/Data/Shared/Items.php

This is the list of problems that couldn’t have been solved automatically and must be fixed manually.

What you must check first after you update.

Problems can appear even on home page and CMS pages. These problems can be fixed using the command php -f fixSUPEE6788.php — fixWhitelists as described above.

In most cases the patch affects admin panel of the website. The menu links can lead to pages and custom modules that contain error 404. This problem can be resolved using the command php -f fixSUPEE6788.php — fix , or after you update the extension.

Check the signing up of users. It can be fixed by inserting the code in the templare form customer/form/register.phtml and persistent/customer/form/register.phtml in the theme of your website.


 

More useful articles on this subject:

How to Apply and Revert Magento Patches

SUPEE-6788 TECHNICAL DETAILS

Andrey Dubina
Partner With Us Looking for a partner to grow your business? We are the right company to bring your webstore to success. Talk to Andrey
Tags:

Post a new comment

BelVG Newsletter
Subscribe to our mailing list and get interesting stuff and updates to your email inbox.
Email *