Magento Security Patch – What is Patched in SUPEE-6482?

magento-1.9patchesSecurity

Today 04.08.2015 there was a new security patch released, some colleagues and I were checking the patch, and is always nice to have some discussion about what changed, also does anyone know what are the possible attacks that could affect and unpatched shop?
What 's the worst that could happen?

Update: I just wanted to add the email magento sent today to complete the post.

Best Answer

The actual security patch (SUPEE-6482) only affects the two following files and is an API patch.

app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
app/code/core/Mage/Catalog/Model/Product/Api/V2.php

The full 1.9.2.1 install is a different matter altogether. I would diff source code between 1.9.2.0 and 1.9.2.1 to figure out the other two items that were patched.

Release notes are for the full installer, you have to check the patch to see if it actually includes all the items noted in the release notes.

Implications of running an unpatched server:

Cross-site Scripting Using Unvalidated Headers => Cache Poisoning
Autoloaded File Inclusion in Magento SOAP API => Remote code autoload
XSS in Gift Registry Search => Cookie theft and user impersonation
SSRF Vulnerability in WSDL File => Internal server info leak and remote file inclusion

NOTE: Files patched in the full install archive that are not patched with the patch, hmm?

diff -r magento-1920/app/code/core/Mage/Core/Controller/Request/Http.php magento-1921/app/code/core/Mage/Core/Controller/Request/Http.php
300a301
>         $host = $_SERVER['HTTP_HOST'];
302,303c303,304
<             $host = explode(':', $_SERVER['HTTP_HOST']);
<             return $host[0];
---
>             $hostParts = explode(':', $_SERVER['HTTP_HOST']);
>             $host =  $hostParts[0];
305c306,313
<         return $_SERVER['HTTP_HOST'];
---
> 
>         if (strpos($host, ',') !== false || strpos($host, ';') !== false) {
>             $response = new Zend_Controller_Response_Http();
>             $response->setHttpResponseCode(400)->sendHeaders();
>             exit();
>         }
> 
>         return $host;

diff -r magento-1920/app/design/frontend/base/default/template/page/js/cookie.phtml magento-1921/app/design/frontend/base/default/template/page/js/cookie.phtml
37,38c37,38
< Mage.Cookies.path     = '<?php echo $this->getPath()?>';
< Mage.Cookies.domain   = '<?php echo $this->getDomain()?>';
---
> Mage.Cookies.path     = '<?php echo Mage::helper('core')->jsQuoteEscape($this->getPath()) ?>';
> Mage.Cookies.domain   = '<?php echo Mage::helper('core')->jsQuoteEscape($this->getDomain()) ?>';

Applying patches manually with no SSH access

You have a good point here. The patches are supplied as .sh files and there is no solution offered by Magento for FTP only websites.

I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh file.

Now you need to find out which files you need to upload again. If you would open the .sh patch file, then you will see it consist of two sections:

Bash shell code to apply the patch. This code is general for every patch.
The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line __PATCHFILE_FOLLOWS__

From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.

Applying manually without bash/shell

If you can't run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
The website Magentary.com provides ZIP files for each Magento version containing the patched files only.

Patches in current & future releases?

The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).

UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.

Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M

Magento 1.9 – SUPEE-6285 Patch Changes

As already mentioned, the patched vulnerabilities are described in detail on this official page (new merchant docs): http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html

Summary

This bundle includes protection against the following security-related issues:

Customer Information Leak via RSS and Privilege Escalation

Request Forgery in Magento Connect Leads to Code Execution

Cross-site Scripting in Wishlist

Cross-site Scripting in Cart

Store Path Disclosure

Permissions on Log Files too Broad

Cross-site Scripting in Admin

Cross-site Scripting in Orders RSS

After patching a few shops, this is what I gathered:

Theme patches

Some theme files have been patched with added escaping to prevent possible XSS attacks:

checkout/cart.phtml
checkout/cart/noItems.phtml
checkout/onepage/failure.phtml
rss/order/details.phtml
wishlist/email/rss.phtml

If your theme(s) contain any of these templates, or if you made modifications directly in base/default (good luck, you are screwed), then you need to patch them manually:

in the checkout templates, replace all occurences of

$this->getContinueShoppingUrl()

with

Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())

in wishlist/email/rss.phtml, replace

$this->helper('wishlist')->getCustomerName()

with

Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())

In rss/order/details.phtml, replace

<?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br />
<?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br />

with

<?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?>
<?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br />
<?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />

Permissions

.htaccess files have been added to downloader/Maged and downloader/lib to disallow direct access to source files. If you use nginx, you need to add these rules to achieve the same (thx to Ben Lessani for this one):

location /downloader/Maged/ { deny all; }
location /downloader/lib/   { deny all; }

But I recommend to exclude downloader from deployments to a live system system anyway, in this case you don't need to take action.

Admin Privileges (ACL)

If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed() has been changed from true to Mage::getSingleton('admin/session')->isAllowed('admin'). Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.

The only solution is to patch the extensions and add this method to all their admin controllers:

protected function _isAllowed()
{
    return true;
}

Or if they actually have an ACL resource defined in etc/adminhtml.xml:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}

(you can see that the patch does the same for Phoenix_Moneybookers in older Magento versions like 1.7 where this extension was included)

For a more detailed perspective on this issue and an explanation how to define missing ACL resources, see: Access Denied errors after installing SUPEE-6285

Possible errors while applying patch

Message:

can't find file to patch at input line 899
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
|index 982ad5a..2bf6b37 100644
|--- app/design/frontend/default/modern/template/checkout/cart.phtml
|+++ app/design/frontend/default/modern/template/checkout/cart.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored

Reason: the default/modern theme was removed from the installation

Solution: Add app/design/frontend/default/modern from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the theme again.

Message

patching file downloader/Maged/.htaccess
can't find file to patch at input line 915
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Controller.php downloader/Maged/Controller.php
|index aa9d705..32755d7 100644
|--- downloader/Maged/Controller.php
|+++ downloader/Maged/Controller.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
5 out of 5 hunks ignored
can't find file to patch at input line 976
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Model/Session.php downloader/Maged/Model/Session.php
|index 18020eb..7013c94 100644
|--- downloader/Maged/Model/Session.php
|+++ downloader/Maged/Model/Session.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
patching file downloader/lib/.htaccess
can't find file to patch at input line 1020
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages.phtml downloader/template/connect/packages.phtml
|index 9cca5a6..f42e74e 100644
|--- downloader/template/connect/packages.phtml
|+++ downloader/template/connect/packages.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 1049
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages_prepare.phtml downloader/template/connect/packages_prepare.phtml
|index f74c3df..86aa51b 100644
|--- downloader/template/connect/packages_prepare.phtml
|+++ downloader/template/connect/packages_prepare.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1061
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/login.phtml downloader/template/login.phtml
|index 6e4cd2c..dbbeda8 100644
|--- downloader/template/login.phtml
|+++ downloader/template/login.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1073
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/settings.phtml downloader/template/settings.phtml
|index 13551ac..47ab411 100644
|--- downloader/template/settings.phtml
|+++ downloader/template/settings.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored

Reason: the downloader directory was removed from the installation

Solution: Add downloader from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the directory again.

Message: Something similar to

checking file app/design/frontend/base/default/template/checkout/cart.phtml
Hunk #1 FAILED at 97 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/cart/noItems.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/onepage/failure.phtml
Hunk #1 FAILED at 29 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/rss/order/details.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/wishlist/email/rss.phtml
Hunk #1 FAILED at 25 (different line endings).
1 out of 1 hunk FAILED

Reason: the files are stored with \r\n (CRLF, Windows line break) or \r (CR, Mac line break) instead of \n (LF, Unix line break).

Solution: Simply convert the line breaks, your text editor or IDE should be capable of this.

Best Answer

Related Solutions

Magento 1.9 Security Patches – How to Download and Install Without SSH

Applying patches manually with no SSH access

Applying manually without bash/shell

Patches in current & future releases?

Magento 1.9 – SUPEE-6285 Patch Changes

Summary

This bundle includes protection against the following security-related issues:

Theme patches

Permissions

Admin Privileges (ACL)

Possible errors while applying patch

Related Topic