Skip to content

Instantly share code, notes, and snippets.

@mroffice

mroffice/SUPEE 6788 patch for Magento Community Edition.md

Last active July 1, 2020 08:18
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mroffice/e6bda952a6165d00f1c1 to your computer and use it in GitHub Desktop.
Save mroffice/e6bda952a6165d00f1c1 to your computer and use it in GitHub Desktop.
Download ZIP
How I patched our Magento 1.9.2.1 CE with the notorious SUPEE 6788 patch that breaks all your extensions.
Raw
SUPEE 6788 patch for Magento Community Edition.md

See Updates for new additional info

What is SUPEE-6788?

SUPEE-6788 is a bundle of patches for Magento. From the Magento Commerce website:

[SUPEE-6788] provides protection against several types of security-related issues, including remote code execution, information leaks and cross-site scripting.

## Why is it more complicated than previous patches?

Because when the patch is applied it will almost certainly break backward compatibility with Magento extensions.

Ok, what extensions are affected by the patch?

The Magento community has put together a Google Sheets list of extensions that need to be updated:

https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg

How to find offending extensions?

Note: These are potentially incomplete methods, as some files will use variable names.

  • APPSEC-1034 Modules using an older form of admin routing are vulnerable to bypassing custom admin URL. To find affected files:

    grep -r '<use>admin</use>' app/

    What to do:

    Change the code as stated at magento.com.

  • APPSEC-1063 Modules that use SQL statements as field names as they are vulnerable to SQL injection. To find affected files:

    grep -r "addFieldToFilter('(" app/ and grep -r "addFieldToFilter('\`" app/

    What to do:

    Change the code as stated at magento.com

  • APPSEC-1057 If you are using template procesing on CMS pages or emails, you need to add custom variables to a Magento whitelist, otherwise it wont be loaded. To find affected files:

    grep -r "{{config path=" app/ and grep -r "{{block type=" app/

    What to do:

    Add your variables to the Magento whitelist table in the databse, and your database installation script.

  • APPSEC-1079 You cannot save product custom options data as a PHP object.

    This one is for custom code, there are no shortcuts.

Where do I start?

  1. Download the patch from magentocommerce.com/download.
  • Scroll down to "Magento Community Edition Patches"
  • Find SUPEE-6788 and then download the .sh file for your version of Magento (mine is 1.9.2.0)
  1. Upload the patch to your Magento home folder.

!!! I would recommend (insist, even!) that you first install this on a local or development server, as a lot of your extensions will break !!!

  • Use can use cPanel or FTP or whatever, I use the command line scp command:

    scp ~/Downloads/PATCH_SUPEE-6788.....sh <user>@<server>:/magento/root

  • Now execute the bash file:

    sh PATCH_SUPEE-6788.......sh

  • You should get output of the patched files

  1. Get the SUPEE 6788 Toolbox

  • Upload the file as before with scp or FTP, this time to the /shell folder

  • Run the analyse function php -f shell/fixSUPEE6788.php -- analyze

  1. Upgrade any extensions that you know have released an update due to SUPEE 6788.

  2. Run analyze again and hopefully you have less results now that you have updated some extensions. Decide whether it's worthwhile to go through each file yourself, or run the script again with the -- fix flag, which does it all for you.

  • The file modifies and moves files, so you may find that the Magento site is down (backend more likely). Just do the normal debugging process - check var/logs/exception.log. In my case one of the extension's admin routing was written over incorrectly, causing a 500 error on the backend.

  • Run the analyze command again to see issues that couldn't be sorted. On my install I was lucky and there are no 'Affected Modules' and no 'Affected Files', but under 'Issues' I had some more work to do.

    • There was one warning 'Unable to load configuration', which meant that one of the installed extensions didn't have a config.xml file in app/code/local/<vendor>.

    • There are a few "Possible SQL Vulnerability" warnings, which relates to APPSEC-1063, but these were from an extension that I updated during this process, so were fine.

Further reading

You can check your Magento store for known vulnerabilities at MageReport.com

See this StackOverflow for extra information or to ask questions

Updates

  • Although the technical details seem to suggest the reverse (I quote, "Note: This patch is disabled by default"), an option in Config -> Advanced -> Admin -> Security is set to enabled. You should turn this off. Note that this wont do anything if you're using the default /admin login - in which case you should change it to a unique value to prevent brute force attacks.

  • Some sources are saying that if you have custom forms then they could break if they don't have a form_key. Here is a source. This means that you need to edit your custom signup forms to add in a token. I tested it without and it seemed to work ok - but added the form_key in just in case and will keep an eye on customer signups.

Analytics

@hadl
Copy link

hadl commented Oct 30, 2015

Thank you for that helpful article!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment