Magento 1.9.3.1 XSS Vulnerability Fix When Adding a Category

magento-1magento-1.9magento1.9.3.1Securityupgrade

As you may know 1.9.3.1 has been been released.

In the release notes, I found that on top of bug fixes, there also was two security features:

Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of
the storefront.

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

I found the code change related to the first point in Mage/Customer/Model/Session however, I can't get my hands on the changes made to apply the second security feature. Anyone could enlighten me here ?

Best Answer

Got the confirmation from a Magento team member that the second security fix:

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

Is only affecting EE.

Related Solutions

Magento – CSRF Attack & Session Hijack Vulnerability

In short, yes. CE 1.7 is still vulnerable to those specific attacks because no security release has been issued which contains a patch.

In the case of the latter one, a session fixation attack, the change is an upgrade in the security practices which Magento already used to stay in line with current security best-practices. Not something likely to be issued to CE 1.7 if they do issue a patch with the CSRF fixes.

The real question is what exactly were these CSRF vulnerabilities which were fixed? Doubtless a good thing that they did not include specifics in the release notes, thus further jeopardizing all prior releases, but it would be nice to know for the sake of patching old implementations.

UPDATE #1: Upon reaching out to Magento to find out when they will be issuing patches for the above vulnerabilities, I received the following reply:

Allow me some time to research this further. I'm not sure if there are patches available for those two items, as they are listed in our system as product enhancements and not as bugs. I'll update you when I get more information.

I'll post back further details here as I get them, and will be doing my best to get patches issued since it seems that there are not currently any patches in existence.

UPDATE #2: After back and forth with the support team, I was able to obtain a proper patch for Magento EE 1.12.0.2. No patch was issued for Magento CE 1.7.0.2, and as far as the technician who looked into it internally for me knows, there are no plans to release an official patch for CE 1.7.x instead resolving the issues only in the upcoming CE 1.8 stable release.

As for the EE specific patch file, I cannot post it (or the patch application tool) here directly since it would most undoubtedly be in violation of NDA between Magento and myself personally and the company for which I work. The name of the relevant patch is: "PATCH_SUPEE-1513_EE_1.12.0.2_v1.sh" — If you have the Enterprise Edition or a client using it, you should be able to request this patch from the Magento support team along with a note about the CSRF vulnerabilities which it is supposed to fix.

For CE 1.7.0.2 users, I've taken the freedom to generate a patch file (based on the patch provided by Magento) which includes only the hunks of code which alter Magento CE 1.7.0.2 core code files. In normal fashion, it includes irrelevant bits of added comments and adjusted formatting along with the relevant code changes. Creating this required manually altering the original patch to apply it using the provided patch applying tool, then using git to generate a patch based on the applied changes.

The patch file which I've created can be downloaded from this gist: https://gist.github.com/davidalger/5938568

To apply the patch, first cd into the root of your Magento installation and run the following command: patch -p1 -i ./Magento_CE_1.7.0.2_v1-CSRF_Patch.diff

The EE specific patch included form key validation checks to Enterprise specific controllers, alterations to enterprise/default and enterprise/iphone template files to include form keys in the forms being used for the patched controller actions, and additional Full Page Cache funtionality to properly account for passing form keys back and forth on cached pages.

DISCLAIMER: I have NOT TESTED either the EE patch provided by Magento nor the patch I've uploaded to the linked gist. The patch provided in the referenced gist is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee that it functions in whole or part. I.e. use at your own risk, and take due diligence to test before deploying to a production environment. If you find issues with the patch, let me know and I'll update it.

Magento – actually Magento CE 1.9.3.2

The reason why Magento is doing this is because whenever a patch is released, they need to include it into a new release. Otherwise they are going to have to say "Hey download 1.9.3.0, then add SUPEE-8788 and SUPEE-9652". Then people that don't know how to apply patches are going to complain (and they have which is why they are doing this).

If you take a look at patch SUPEE-9652, that is where you see the sendmail.php update. The dates are changed to 2017 because this release is in 2017 and the last one is was in 2016.

The Magento 1 version policy looks like this:

1 . MAJOR . MINOR . PATCH

Best Answer

Related Solutions

Magento – CSRF Attack & Session Hijack Vulnerability

Magento – actually Magento CE 1.9.3.2

Related Topic