On the 27st of October 2015, Magento released SUPEE-6788. This patch fixes several issues. A complete list of these issues can be found on Magento’s website.
With the release of patch SUPEE-6788 Magento also released a new Magento Community version: Magento Community Edition 126.96.36.199. This new version contains all latest Magento patches. Read more about updating Magento.
What are the risks?
At the moment, this patch has risk rating medium:
It is possible to steal secret stuff such as Paypal keys in certain circumstances.
It is possible to retrieve the secret back-end admin name and launch a brute force dictionary attack.
As of yet, there are no large scale attacks known, although some brute attacks on back-end panels are seen in the wild.
Update October 29th: a working exploit has been published that allows anyone to download secret files using the XXE technique. Emergency fix: if you cannot patch, you should verify that you run the latest version of libxml2 (Ubuntu, Redhat) OR disable the PHP SOAP extension OR block access to your API altogether.
How to install SUPEE-6788
In most cases this patch can be applied safely. However, as always, we recommend to test extensively on a testing/staging environment. (Hypernode users can set-up a basic staging environment).
Some parts of this patch are optional, because it breaks backward compatibility with many extensions. So Magento has made a switch in the back-end to enable this extra measure. The rest of the patch can be applied relatively safely. Take note of the following issues (that will only affect a small number of installs):
- Have a custom
customer/form/register.phtmltemplate? It will break if you don’t add a form_key.
- Do you use non-standard variables in CMS pages, static blocks or email templates? They need to be whitelisted.
- Do you run the Magento cron through HTTP are are you using Apache? There is a new access control on cron.php, so you should change the .htaccess to include your local IP, or (better yet) run the cron through commandline PHP.
All clear? Proceed!
Step 1: Check if your modules are compatible and enable the added (but backwards incompatible) security measure.
Step 2: Install patch SUPEE-6788 (click ‘Release archive’ and scroll down for patch 6788) check if your modules are compatible and enable the added (but backwards incompatible) security measure.
Step 3: Enable the optional secure admin routing.
Step 1 – Check if your extensions and modules are compatible!
While closing these bugs, Magento introduced several changes that are not backward compatible. This means that some shortcuts that extensions took, that used to work, now work no longer. We know a large amount of extensions and modules are not (yet) compatible with this patch, so implementing the patch could break your shop if that’s the case. We know that:
- Extentions that have ‘<use>admin</use>’ in their configuration, will break.
- Several specific variables are not allowed to be used anymore.
We did a quick check and discovered that 80% of the webshops on our Hypernode platform is using at least one extension that uses either one of these now deprecated functionalities.
There is a community effort that we are committing to that is creating a list of all known incompatible modules.
For more information and indept technical info, check this technical sheet provided by Magento itself.
Step 2 – Install the patch
Install the patch according to the generic patch installation instructions.
De Nederlandse uitleg vind je hier: Magento patches installeren.
Step 3 – Increase security and disable compatibility mode
While closing these bugs, Magento introduced a change in admin routing that is not backwards compatible. A thorough analysis of our install base revealed that this affects 1886 unique extensions and effectively 80% of all installed shops. That is why Magento has disabled the backwords incompatible portion of the patch by default and should be enabled in the control panel.
Check for yourself: if you have extensions with
<use>admin</use> in their config.xml. they will likely break.
To quickly test whether you have incompatible extensions, run this in a terminal or SSH.
grep -lr '' app/
There are several useful community-written tools and resources:
- n98-magerun plugin to detect incompatible plugins
- A great tool php command to analyze and bulk-fix extensions for admin-router and template variable incompatibilities
- a community-curated list of all known incompatible extensions
So to increase security, disable the “compatibility mode” here:
System > Config > Admin > Security > Admin routing compatibility mode for extensions
What is the risk of not doing this?
Hackers can find your secret admin frontname through external modules. Knowing the secret admin name enables a brute force dictionary attack. No abuse has been registered on a massive scale, but incidents are reported on a daily basis. So it is recommend to implement this measure (and do not use the default “admin” and “downloader” names).
We found out that there are several reasons why Patch 6788 comes out as uninstalled on Magereport.com, so we recommend you to check the following:
- When compilation is enabled in the backend of your Magento, SUPEE-6482 doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.
- Check if the patch is installed in the correct directory;
- Reload your opcode cache, webserver, php-fpm process and possible other caches. The old code might be still be active;
- Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;
- Using a Magento version older them Magento 188.8.131.52? Update to a more recent version. When patching Magento versions older then Magento 184.108.40.206, certain redirects aren’t added.
We hope one of the causes mentioned above can fix your problem. If not, we recommend you to hire a Magento specialist. Unfortunately we can’t help fixing these problems. We’re a hosting company that specializes in Magento hosting. Magento development however is a completely different specialty. A list of Magento developers per country can be found on Magereport.com.