12-07-2015 Update : Magento security patch SUPEE-6788 – Installation (and issue with htaccess) + Enable patch functionnalities
10-28-2015 Update : Download the security patch SUPEE-6788
10-22-2015 Update : How to modify your custom modules to the next security patch ?

SUPEE-6788 Patch Download

téléchargement

The security patch is now available. The last version of Magento Community (1.9.2.2) and of Magento Enterprise (1.14.2.2) contains this patch and also previous patches. You can upgrade your store, but it’s longer than apply only the patch. To download it, choose from the following options :
– Edition Community : Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6788)
– Edition Enterprise : Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – October 2015.”
– Magento Partners : Go to the Partner Portal select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled “Security Patches – October 2015.”

Don’t forget to apply the modifications explained below on this article before activate the security patch !

Is your Magento store infected ?

Since many days, some hackers attempt to attack Magento stores with scripts injection. This attack, named GuruIncsite Infection, is really dangerous and follow these steps to securize your website :

– You have to search in your database some terms to find a possible attack. If yes, you have to modifiy infected CMS pages. Usually, malware is injected on the entry ‘design/footer/absolute_footer’ of the ‘core_config_data’ table. You can search on the entire database for theses terms : “function LCWEHH(XHFER1){XHFER1=XHFER1” and “guruincsite”
Infos : http://support.hypernode.com/knowledgebase/how-to-fix-guruinc-infection

– Check your store security on MageReport. It’s not an official tools, but is used by the Magento community, you can find and patch some potential issues.
Infos : https://www.magereport.com

– Check all admin users and search for suspicious account creation (System > Permissions > Users)

– Apply all Magento security updates on your store
Infos : https://magento.com/security/patches

Magento security patch SUPEE-6788 – Installation

Download the file corresponding to your Magento installation, for me it’s PATCH_SUPEE-6788_EE_1.14.0.1_v1-2015-10-27-02-29-23.sh

Put it on the root of your Magento store and launch these commands:

sudo chmod +x ./<NOM DU FICHIER>.sh
./<NOM DU FICHIER>.sh

You can have an issue with the htaccess file, with the following message :

checking file .htaccess
Hunk #1 FAILED at 207.

I decided to remove this part of the patch (delete the selected zone of the file like the screenshot below). We will apply the modification on this file manually after.

Capture du 2015-12-07 17:35:27

So relaunch the shell script, and you will have this message :

Patch was applied/reverted successfully.

A lot of files are modified, but there is also new created files. Don’t forget to add its on your commit with your favorite Version Control System !

Don’t forget to apply modifications on the htaccess manually !
I added this code at the end of my htaccess file.

###########################################
## Deny access to cron.php
    <Files cron.php>

############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.

        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user

############################################

        Order allow,deny
        Deny from all

    </Files>

Now you can go on your website (after empty the cache if they are enabled). This will launch installers added by the security patch.

Get prepared to the next security patch SUPEE-6788

The update is disabled by default. The patch is present, but disabled during installation. You will have to activate it when your changes will be applied. I will show you the changes you have to do to your store :

  • If a module has admin functionality that is not under the admin URL, it will need to be modified (http://domain.com/cool_module will become http://domain.com/admin/cool_module)
  • Change admin router declaration :
    <admin>
    	<routers>
    		<custom_module>
    			<use>admin</use>
    			<args>
    				<module>custom_module</module>
    				<frontName>custom_module</frontName>
    			</args>
    		</custom_module>
    	</routers>
    </admin>

    Must to be changed to :

    <admin>
    	<routers>
    		<adminhtml>
    			<args>
    				<modules>
    					<Custom_Module after="Mage_Adminhtml">Custom_Module_Adminhtml</Custom_Module>
    				</modules>
    			</args>
    		</adminhtml>
    	</routers>
    </admin>

    If you need to make change on config.xml to modify admin routers.
    Check also your adminhtml.xml files in order to change the URL :

    <action>MODULE/adminhtml_CONTROLLER/ACTION</action>

    Become :

    <action>adminhtml/CONTROLLER/ACTION</action>

    The module name is removed from the URL, so you must have a controller name class which is not use on another module.
    If your class is name “IndexController.php” or “CategoryController.php” for example, I advice you to rename the class. Be careful of the consequences of this change during the testing phase !
    Sometimes, I had to change some informations on the admin layout of some modules.
    Example :

    <MODULE_adminhtml_CONTROLLER_ACTION>
    <...>
    </MODULE_adminhtml_CONTROLLER_ACTION>

    Become :

    <adminhtml_CONTROLLER_ACTION>
    <...>
    </adminhtml_CONTROLLER_ACTION>
  • The addFieldToFilter method must be used in an other way when it use SQL statement or when fields are escaped.
    $collection->addFieldToFilter('`field`', array('eq' => 3));

    Must to be changed to :

    $collection->addFieldToFilter('field', array('eq' => 3));

    And for SQL statements :

    $collection->addFieldToFilter('(field1 – field2)', array('eq' => 3))

    Must to be changed to :

    $expression = '(field1 – field2)';
    $condition = $this->_getConditionSql($expression, array('eq' => 3));
    $this->_select->where($condition);
  • All references of {{config path=”web/unsecure/base_url”}} or {{block type=rss/order_new}} which are used on email or CMS pages must be listed. You can search the terms “{{config path=” and “{{block type=” on your project’s files, and on the tables ‘cms_page’, ‘cms_block’, and ‘core_email_template’ Magento will give a whitelist of the authorized blocks and variables, you will have to add yours. Here is the native list :
    Variables:
    web/unsecure/base_url
    web/secure/base_url
    trans_email/ident_general/name
    trans_email/ident_sales/name
    trans_email/ident_sales/email
    trans_email/ident_custom1/name
    trans_email/ident_custom1/email
    trans_email/ident_custom2/name
    trans_email/ident_custom2/email
    general/store_information/name
    general/store_information/phone
    general/store_information/address
    
    Blocks:
    core/template
    catalog/product_new

    If you see other values on your CMS pages or email, you will have to add new entries after the patch installation. The tables you will have to update are ‘permission_variable’ et ‘permission_block’.

  • You cannot make customization that uses product custom options to save information as a PHP object. Such an approach will no longer be possible.
  • If you made changes on customer/form/register.phtml and persistent/customer/form/register.phtml templates, you have to add a form_key like :
    <input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey() ?>" />
  • If you made changes on layout/customer.xml the layout action has been changed. “customer_account_resetpassword” becomes “customer_account_changeforgotten”. The template/customer/form/resetforgottenpassword.phtml templated has changed too :
    <form action="<?php echo $this->getUrl('*/*/resetpasswordpost', array('_query' => array('id' => $this->getCustomerId(), 'token' => $this->getResetPasswordLinkToken()))); ?>" method="post" id="form-validate">

    become :

    <form action="<?php echo $this->getUrl('*/*/resetpasswordpost'); ?>" method="post" id="form-validate">
    

You can follow theses steps to install and apply the modification, on a test environment :

  • Patch installation (disabled by default)
  • Modify your code with the changes listed above
  • Enable patch
  • Test your website
  • Push the patch and your modifications on production environment

Enable patch functionnalities

To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Put the paramater “Enable Admin routing compatibility mode” to “DISABLED” under

System > Configuration > Admin > Security.

You can configure allowed variables and blocks in

System > Permissions > Blocks
System > Permissions > Variables

Magento official informations

You can find all these informations on the Magento official PDF document.

And the newsletter Magento sended to the partners :

Updated Patch Will Be Available Next Week
Dear Magento Partner,

The security patch we intended to release today, SUPEE-6788, includes changes to admin routing for extensions and customizations. These changes provide protection from an important security risk, but they can also make an extension or customization inaccessible from the admin panel if it is not using proper routing.

Given this potential risk and the fact that the vulnerabilities addressed by the patch are not being actively exploited at this time, we have decided to postpone the security patch release until early next week and modify the patch so that the admin routing changes are turned off by default. This means that the patch will include the fix, but that it will be disabled when installed. The new release date and changes to the patch will give extension developers time to make updates to their code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.

You can learn more about how the security patch breaks backward compatibility and potential changes you may need to make to your code in this document. Once the patch is released, we recommend that you first test the code in a non-production environment with the admin routing changes turned on. If it works, deploy the fully-enabled patch to production.

If you discover issues with accessing extensions or customizations from the admin panel, deploy the patch with admin routing changes disabled. Then update your customizations and contact your extension providers to determine when new code will be available. We urge you to turn on the admin routing changes as soon as possible to help protect your clients from automated attacks, like the malware issue we recently experienced.

Thank you for your attention and support regarding this issue.

Best regards,
The Magento Team

Magento hacker alert (GuruIncsite Infection – Patch SUPEE-6788 Installation)
Share on FacebookTweet about this on TwitterShare on Google+Email this to someone
Tagged on:                     

Leave a Reply

Your email address will not be published. Required fields are marked *

We use cookies to ensure that we give you the best experience on our website.
Ok