On October 27, 2015, Magento has released security patch SUPEE-6788. According to the technical details, 4 APPSEC's that have been fixed require some rework in local and community modules:
- APPSEC-1034, addressing bypassing custom admin URL (disabled by default)
- APPSEC-1063, addressing possible SQL injection
- APPSEC-1057, template processing method allows access to private information
- APPSEC-1079, addressing potential exploit with custom option file type
I was wondering how to check which modules are affected by this security patch.
I came up with the following partial solution:
- APPSEC-1034: search for
<use>admin</use>
in the config.xml of all local and community modules. I think this should list all modules affected by this issue. - APPSEC-1063: search for
addFieldToFilter('(
andaddFieldToFilter('`
in all PHP files of local and community modules. This is incomplete, as variables can also be used. - APPSEC-1057: search for
{{config path=
and{{block type=
in all PHP files of local and community modules, and filter out all elements from the whitelist. This is incomplete, as it does not contain any template variables added by admins, however. - APPSEC-1079: no idea.
There is also a list of extensions that are vulnerable for APPSEC-1034 and APPSEC-1063 compiled by Peter Jaap Blaakmeer
Best Answer
SUPEE-6788 released and admin routing changes turned off by default. This means that the patch include the fix, but that it will be disabled when installed. This will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.
For enable admin routing capability for extensions after install the path go to Admin -> Advanced -> Admin -> Security.
Magento CE 1.4-1.6 patches are delayed and should be available in about one week!
SUPEE-6788 Resources list
Official details & download SUPEE-6788 - http://magento.com/security/patches/supee-6788 & https://www.magentocommerce.com/download
How to apply SUPEE-6788 discussion with useful tips - https://magento.meta.stackexchange.com/a/734/2282
Install SUPEE-6788 without SSH - https://magentary.com/kb/install-supee-6788-without-ssh/
SUPEE-6788 for CE 1.7.0.1 - 1.9.2.1 on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/CE
SUPEE-6788 for EE 1.12.x - 1.14.x on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/EE
SUPEE-6788 and Backward Compatibility - https://info2.magento.com/rs/318-XBX-392/images/SUPEE-6788-Technical%20Details.pdf
Community driven up to date list of Extensions that will break with SUPEE-6788 / Magento 1.9.2.2 / EE 1.14.2.2 - https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/htmlview?sle=true#gid=0
Helpful Magerun commands https://github.com/peterjaap/magerun-addons
Check if store patched / affected - https://www.magereport.com/
Some of custom blocks on the front page have disappeared after patch install - APPSEC-1057 How to add variables or blocks to the white list tables & https://www.pinpointdesigns.co.uk/blog/magento-ce-patch-supee-6788-custom-blocks-issue/
Magento SUPEE-6788 Developer Toolbox - find and automatically resolve major problems from the patch https://github.com/rhoerr/supee-6788-toolbox
MageDownload CLI - A PHP tool to automate Magento release and patch downloads - https://github.com/steverobbins/magedownload-cli
How to whitelist template variables and blocks for SUPEE-6788 - https://gist.github.com/avoelkl/f99e95c8caad700aee9
Check Magento files for known appsec affected code - https://github.com/Schrank/magento-appsec-file-check
Common issues with SUPEE 6788 Magento patch installation - http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/
Performance improvement for Magento Patch SUPEE-6788 - https://github.com/EcomDev/SUPEE6788-PerformanceFix , https://gist.github.com/DimaSoroka/a3e567ddc39bd6a39c4e , Details - http://www.magecore.com/blog/news/performance-issues-magento-security-patch-supee-6788