How to Apply New Patch SUPEE-6788 in Magento

adminpatchesSecuritysupee-6788

After weeks of waiting for the patch today (27.10.2015) it was released: SUPEE-6788

A lot of things were patched and also is encouraged to review installed modules for possible vulnerabilities.

I open this post in order to get some insights about how to apply the patch. What are the steps to apply the patch? To my understanding this are the steps:

  1. Fix modules with admin functionality that is not under the admin URL
  2. Fix modules that use SQL statements as field names or escape fields
  3. White list blocks or directives that uses variables like {{config path=”web/unsecure/base_url”}} and {{bloc type=rss/order_new}}
  4. Addressing potential Exploit with Custom Option File Type (no idea how to do this)
  5. Apply the patch

Is this the correct procedure?

Best Answer

In general, you can apply the patch as all previous ones. Have a look at the official documentation and check this SE post. But yes, there are some additional points you should check when applying this patch. Byte/Hypernode has a nice post about it.

  1. Check if your theme has a custom template/customer/form/register.phtml or custom template/persistent/customer/form/register.phtml. If this is the case, make sure that it includes a form_key.
  2. Check if your theme has a custom layout/customer.xml. If this is the case, make sure to apply the necessary changes from the patch (customer_account_resetpassword has been changed to customer_account_changeforgotten).
  3. Do you use non-standard variables in CMS pages, static blocks or email templates? Then make sure that you whitelist them. See this SE question to learn how to whitelist variables/blocks.
  4. Do you run the cron.php via HTTP? Make sure that you better use cron.sh. If this is not possible, at least make sure that you call cron.php via CLI PHP. If for some reason you can not configure a real cronjob and need to run it via HTTP, see this SE question
  5. Make sure that all your extensions use the "new" admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at this related SE question.
    1. When all your extensions use the proper admin routing, make sure to disable "Enable Admin routing compatibility mode" under System - Configuration - Admin - Security.
  6. If you use M2ePro, update it to the latest version since old versions do not work with the new patch.

When updating, make sure that you delete the file dev/tests/functional/.htaccess. It is not present any more in Magento 1.9.2.2. Keeping it means you are still vulnerable.

In any case, check your page with MageReport after updating to see if everything went well.

There is also a technical blog post by Piotr, which describes the critical changes.

Related Topic