Magento – Security Patch SUPEE-11314 – Possible problems

magento-1patchesSecurity

Magento have released new Magento 1 versions

1.14.4.5
1.9.4.5

The patch number is SUPEE-11314 and is available at https://magento.com/tech-resources/download

A summary (covering both M1 and M2 so it's hard to discern) is available at https://helpx.adobe.com/security/products/magento/apsb20-22.html

Did you encounter any compatibility problems or bugs after applying the patch?

Best Answer

Be aware that it isn't possible to revert this update, it updates the password hashes so you won't be able to login on the admin or front end if you install then revert back to 1.9.4.4.

Ebizmarts SagePay extension MOTO admin payments stopped working in 1.9.4.5, the payments on the frontend were unaffected.

Server error 5006: Unable to redirect to Vendor's web site. The Vendor
failed to provide a RedirectionURL.

The Ebizmarts SagePay extension uses an Admin SID to get the response from SagePay to the Magento Admin. To get working I had to override the following to re-enable Admin SID's: app/code/core/Mage/Admin/etc/config.xml

<use_admin_sid>1</use_admin_sid>

I am also having a problem with it creating multiple NULL, NULL users with a different password hash in the admin_user table, I have not figured out what is causing it yet. Is anyone else having this problem?

Related Solutions

Security Patch SUPEE-7405 – Possible Problems and Solutions

23rd February 2016 Update: The patch has been updated to V1.1, which fixes a number of important issues listed in this post, here is the list:

Cart Merge Patch (SUPEE-7978) : Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.
SOAP API Patch (SUPEE-7822) : The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.
PHP 5.3 Compatibility (SUPEE-7882) : The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.
Upload File Permissions : The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

After digging into the patch, here are the relevant / interesting things I've found (N.B.: this list has been made by analyzing the patch for CE 1.9.2.0-1.9.2.2, there's probably more for patches affecting older versions of Magento) :

(fixed in V1.1 of the patch) ~~The use of [] instead of array() in this patch makes it backward incompatible with PHP < 5.4 (see known issues below)~~
As stated, most of the changes are html escaping and data sanitizing regarding XSS issues.
Form key validation has been added to the admin login in Mage_Admin_Model_Observer
Form key validation has been added to the admin forgot password in Mage_Adminhtml_IndexController
Form key validation has been added to the admin reset password in Mage_Adminhtml_IndexController
Form key validation has been added to the frontend cart delete action. Form key is added to the getDeleteUrl of Mage_Checkout_Block_Cart_Item_Renderer and validated in the deleteAction of Mage_Checkout_CartController.
Events are now dispatched all lower case (every config files affected have been modified e.g. controller_action_postdispatch_checkout_onepage_saveOrder becomes controller_action_postdispatch_checkout_onepage_saveorder). This does not affect your local observers configuration. More information here: https://twitter.com/foomanNZ/status/689924329065164800
A new validator to check if an uploaded file is an image has been added: Mage_Core_Model_File_Validator_Image
A new Import/Export section appears : System => Configuration =>Advanced > System => Escape CSV Fields
New event dispatched: admin_user_validate under Mage_Admin_Model_User
SVG is not a valid favicon extension anymore
For those using Authorizenet (I don't) it seems like a few changes have been made, not sure how it impacts the system though. Changes include a new admin helper (Mage_Authorizenet_Helper_Admin) used to get the success order url.
New Zend class: Zend_Xml_Security. Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files.
Files uploaded via admin panel (i.e. product image upload) are now not world readable by default (before: 777 / after: 640).
Directories are also not world executable (before 755 / after: 750). This two can cause issues with images not appearing on the website if the webserver runs as a different user from php (credits: @Rob Mangiafico)
Regarding frontend templates: the only modifications made are data escaping, which are not system breakers but still recommended to implement on your custom theme (and there's only two frontend files affected not that much work ;) )

Known issues after patching:

I'll try to keep this list as up to date as possible.

Before starting a new issue/question, please ensure you've applied all the previous patches as it seems like a lot of issues comes from missing patches.

Another thing is: if you have modified core files, applying the patch may fail. If you're having a Hunk # failed at error for a specific file and you're 100% sure you've applied all the previous patches, please ensure you have the original file from your Magento version by checking the mirror: https://github.com/OpenMage/magento-mirror/

Dropped sessions issue (with fix) (https://magento.stackexchange.com/a/116324/2380)
Unable to login to the backend after the patch: "Invalid form key" error. => Flush your browser cookies and delete the var/session files (Magento 1.9.2.3. not login in google chrome)
(fixed in v1.1 of the patch) Admin order view page is blank / broken => Related to the PHP < 5.4 incompatibility. => Fix can be found here: https://magento.stackexchange.com/a/98237/2380 / I've created a bug report: https://www.magentocommerce.com/bug-tracking/issue/index/id/1266 (credits: @Moonman67).
(fixed in v1.1 of the patch) SOAP API URL /index.php/api/v2_soap/index/?wsdl=1 throws a 500 error => I've developped a hacky fix for this one that can be found here: https://magento.stackexchange.com/a/98790/2380 / I've also created a bug report for this one: https://www.magentocommerce.com/bug-tracking/issue/index/id/1265 (credits: @Moonman67)
(fixed in v1.1 of the patch) ~~Issues regarding file upload permissions~~
Applying patch on Magento 1.7.0.0 breaks: https://magento.stackexchange.com/a/98246/2380
Checkout not redirecting to success page on HHVM: https://magento.stackexchange.com/a/98334/2380
Undefined class constant AREA ADMINHTML in app/code/core/Mage/Core/Model/Config.php (possibly EE only): SUPEE 7405 Enterprise Edition Fatal error Undefined class constant 'AREA_ADMINHTML
Call to undefined method Mage_Core_Helper_Abstract::escapeHtml() on 1.4.0.1 : Error after installing patch 7405 on Magento 1.4.0.1
Mage registry key _singleton/Mage_Core_Model_Domainpolicy already exists on Magento 1.7: Security Patch SUPEE-7405 Error
Call to a member function getUsername() on a non-object after the patch: Magento Admin thrown error after applying SUPEE 7405 security patch
Unable to add permission block after patch on 1.8.1.0 : After Security patch supee-7405 topmenu is not displaying
(Previous patch not applied) Issues applying the patch on 1.7.0.2 : Security Patch SUPEE-7405 Issues
(Core files had been changed) Issues applying the patch on 1.8.1 : supee 7405 Hunk #2 FAILED at 472. Magento 1.8.1
(Provider related) Email queue broken after patch : Magento 1.9.2.3 Email-Queue not working

List of affected files

It can be found on this page here: https://magento.stackexchange.com/a/98232/2380 (credits @MagenX)

EE Only

If you updated from Magento EE 1.14.2.x to Magento EE 1.14.2.3 instead of applying the patch, and also applied the support patch SUPEE-5984 before, you have to reapply it again because it is not included in the release. => https://magento.stackexchange.com/a/98805/2380

Regarding Patch 7616:

Seems like patches 4291 and 6237 need to be applied before applying the patch. More information here: Apply 7616_EE 7405_EE patch not successfuly
(Patch 5344 had not been applied) ~~Possible problem when applying 7616 before applying 7405: SUPEE 7405 - Hunk #2 Failed at 43~~

Good resources about Magento patches

Critical Reminder: Download and install Magento security patches. (FTP with no SSH access)
Mage Report has added a check for SUPEE-7405: https://www.magereport.com/

Feel free to let me know if I miss something.

Security Patch SUPEE-8788 – Possible Problems and Solutions

Important notes

Please note that 1.9.3 is different than 1.9.2.4 + SUPEE-8788. Here's the diff between the two: https://gist.github.com/digitalpianism/14a15cd52baede0e5d600e8c653f33e9

Update October 14th: v2 of the patch has been released (see below) ~~As of October 13th, the patches for 1.5.x to 1.8.x have been taken down from the Magento website because of the incompatibility with previous patches (see below):~~

https://community.magento.com/t5/Security-Patches/SUPEE-8788-AND-SUPEE-1533-Incompatible-Hunk-error/td-p/50434/highlight/false/page/2

V3 of the patch

This new version is only for Magento EE 1.13.0.x

Apply the V3:

revert SUPEE 1533 (if installed)
install SUPEE 3941 (if not installed)
install SUPEE 8788 v3

V2 of the patch

Apply the V2:

revert SUPEE 8788 v1
revert SUPEE 1533 (if installed)
install SUPEE 3941 (if not installed)
install SUPEE 8788 v2

DemacMedia developed a useful bash script to automate the process above you can find it here: https://github.com/DemacMedia/magento-SUPEE8788-patcher

Details of the patch

After digging into the patch here are the interesting parts (patching from 1.9.2.4):

Mage_Adminhtml_Block_Media_Uploader has been replaced with Mage_Uploader_Block_Multiple so there's a full Mage_Uploader module which drops Flash support. The old block is now deprecated and extends the new block.
Still regarding the uploader, the Mage_Downloadable module has been refactored to handle the new non-flash uploader. It uses Mage_Uploader_Block_Single as the upload block instead of using templates.
Following this change, the SWF files skin/adminhtml/default/default/media/flex.swf, skin/adminhtml/default/default/media/uploader.swf and skin/adminhtml/default/default/media/uploaderSingle.swf have been deleted.
Address deletion controller is now protected with form key directly via the getDeleteUrl from Mage_Customer_Block_Address_Book
Wishlist item removal controller is now protected with form key via the getRemoveUrl from Mage_Wishlist_Helper_Data
Paypal Express payment method now ensures that the customer email used exists in Magento when checking out and registering a new user. (understand: the new user is created before the new quote is processed)
The payment methods using cURL/HTTP Client now have CURLOPT_SSL_VERIFYHOST set to 2 (was 0 before) and the CURLOPT_SSL_VERIFYPEER flag is now added to the cURL calls. The Verify Peer flag can be enable/disable via the payment method configuration via the Enable SSL Verification dropdown.
Mage_Http_Client_Curl now has CURLOPT_SSL_VERIFYPEER set to true (was false before), beware if you have any custom module using it.
Max dimensions for product pictures are now configurable in the config. NB: it can result in a funny error message if you upload too big images: Disallowed file format in Magento 1.9.2.2 after patch upload

Known SUPEE-8788 v2 issues

Magento 1.9.2.0 SUPEE-8788 v2 Hunk #1 FAILED at 91 after reverting SUPEE-1533
Patch can't be applied on PayPal Express model: Magento 1.9.2.2 SUPEE-8788 v2 Hunk #1 FAILED
Coïncidence not patch related ~~Emails stopped being sent on 1.8 : https://magento.stackexchange.com/q/141799/2380 and Security patch 8788 V2 problem~~
Backward incompatible change when calling the getConfig() method from the uploader block: Issue in Admin Panel after SUPEE Patch 8788 installation

Known SUPEE-8788 v1 issues

Update: the v2 of the patch fixes that issue (see above)Conflict between SUPEE-1533 and SUPEE-8788, possible (hacky) workaround here . A less hacky solution here
Update: v2 of the patch fixes that issue Unsupported data type N error in /lib/Unserialize/Reader/ArrValue.php in 1.9.1.0 and possibly earlier versions when patch is applied. fix here: https://gist.github.com/balloz/ceaf5feb5ac66caaa82342441d32aa88
Update: the v2 of the patch fixes that issue ~~Possible conflict with SUPEE-3941: https://magento.stackexchange.com/a/140696/2380~~
Issue with OS X: Illegal Byte Sequence : SUPEE-8788 on OSX - illegal byte sequence
Malformed patch (probably bue to the binary sequence in the patch): Magento 1.9.2.4 patch SUPEE-8788 malformed patch at line 5790
Inclusion of a test_oauth.php file with EE patch, don't push that file to prod
Possible login issue on EE related to Enterprise_Pci : https://magento.stackexchange.com/a/140577/2380
Problem if you edit the patch file as it contains binary files encapsulated, use this method if you need to edit: https://magento.stackexchange.com/a/140575/2380
In case you have an app/code/local version of Mage/Core/functions.php you'll have issue with the new hash_equals function: https://magento.stackexchange.com/a/140664/2380
Good to know that there is some templates change involved regarding form_key for Magento prior to 1.8
Possible issue on 1.5.1.0 with downloader/Maged/View.php : Security Patch SUPEE-8788 failing at downloader/Maged/View.php (M1 v1.5.1.0)
Incase you removed/renamed the downloader folder: https://magento.stackexchange.com/a/140631/2380

Known 1.9.3.0 issues

Edit: as the list is getting long and it's pretty much off-topic in this answer (as not SUPEE-8788 related) you can refer to this post for the list of known 1.9.3.0 issues: https://magento.stackexchange.com/a/140826/2380