After weeks of waiting for the patch today (27.10.2015) it was released: SUPEE-6788
A lot of things were patched and also is encouraged to review installed modules for possible vulnerabilities.
I open this post in order to get some insights about how to apply the patch. What are the steps to apply the patch? To my understanding this are the steps:
- Fix modules with admin functionality that is not under the admin URL
- Fix modules that use SQL statements as field names or escape fields
- White list blocks or directives that uses variables like
{{config path=”web/unsecure/base_url”}}
and{{bloc type=rss/order_new}}
- Addressing potential Exploit with Custom Option File Type (no idea how to do this)
- Apply the patch
Is this the correct procedure?
Best Answer
In general, you can apply the patch as all previous ones. Have a look at the official documentation and check this SE post. But yes, there are some additional points you should check when applying this patch. Byte/Hypernode has a nice post about it.
template/customer/form/register.phtml
or customtemplate/persistent/customer/form/register.phtml
. If this is the case, make sure that it includes aform_key
.layout/customer.xml
. If this is the case, make sure to apply the necessary changes from the patch (customer_account_resetpassword
has been changed tocustomer_account_changeforgotten
).cron.php
via HTTP? Make sure that you better usecron.sh
. If this is not possible, at least make sure that you call cron.php via CLI PHP. If for some reason you can not configure a real cronjob and need to run it via HTTP, see this SE questionWhen updating, make sure that you delete the file
dev/tests/functional/.htaccess
. It is not present any more in Magento 1.9.2.2. Keeping it means you are still vulnerable.In any case, check your page with MageReport after updating to see if everything went well.
There is also a technical blog post by Piotr, which describes the critical changes.