OK, somebody has to ask this: today, 7/7/2015 a new security patch for Magento < 1.9.2 has been released.
update your shops ASAP!
But what has been changed? Are there known exploits of the covered security issues? What's the worst that could have happened?
And is there anything that can break? Like with SUPEE-5994 where it wasn't possible to apply the patch if the downloader directory was missing…
Best Answer
As already mentioned, the patched vulnerabilities are described in detail on this official page (new merchant docs): http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html
Summary
After patching a few shops, this is what I gathered:
Theme patches
Some theme files have been patched with added escaping to prevent possible XSS attacks:
checkout/cart.phtml
checkout/cart/noItems.phtml
checkout/onepage/failure.phtml
rss/order/details.phtml
wishlist/email/rss.phtml
If your theme(s) contain any of these templates, or if you made modifications directly in
base/default
(good luck, you are screwed), then you need to patch them manually:in the checkout templates, replace all occurences of
with
in
wishlist/email/rss.phtml
, replacewith
In
rss/order/details.phtml
, replacewith
Permissions
.htaccess
files have been added todownloader/Maged
anddownloader/lib
to disallow direct access to source files. If you use nginx, you need to add these rules to achieve the same (thx to Ben Lessani for this one):But I recommend to exclude
downloader
from deployments to a live system system anyway, in this case you don't need to take action.Admin Privileges (ACL)
If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of
Mage_Adminhtml_Controller_Action::_isAllowed()
has been changed fromtrue
toMage::getSingleton('admin/session')->isAllowed('admin')
. Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.The only solution is to patch the extensions and add this method to all their admin controllers:
Or if they actually have an ACL resource defined in
etc/adminhtml.xml
:(you can see that the patch does the same for
Phoenix_Moneybookers
in older Magento versions like 1.7 where this extension was included)For a more detailed perspective on this issue and an explanation how to define missing ACL resources, see: Access Denied errors after installing SUPEE-6285
Possible errors while applying patch
Message:
Reason: the
default/modern
theme was removed from the installationSolution: Add
app/design/frontend/default/modern
from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the theme again.Message
Reason: the
downloader
directory was removed from the installationSolution: Add
downloader
from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the directory again.Message: Something similar to
Reason: the files are stored with
\r\n
(CRLF, Windows line break) or\r
(CR, Mac line break) instead of\n
(LF, Unix line break).Solution: Simply convert the line breaks, your text editor or IDE should be capable of this.