Magento Security Patch SUPEE-10266

Released by Magento on September 14, 2017, SUPEE-10266 is a security patch for both Commerce and Open Source platforms. Addressing both security and performance issues experienced by Magento merchants, SUPEE-10266’s most important components are solutions for various security susceptibilities, including issues with the following detected vulnerabilities:

 

  • Cross-site request forgery (CSRF): Also known as one-click attacks, cross-site forgery attacks can fool a website or browser system into transferring unapproved commands and communications in an application where a user is already logged in. There are several ways websites can transmit unapproved directions including the use of image patches, isolated forms, and JavaScript XML configurations all of which can act without a user’s awareness or cooperation. CSRFs are generally detected in the form of emails with malicious links intended to fool the user into sending an unauthorized command to an application or server. These types of attacks can be extremely damaging to a user and business. Often CSRF result in broken relationships with customers, altered passwords, obstructed access, unauthorized monetary shifts, and data theft.

 

  • Cross-site scripting: Cross-site scripting (XSS) is a well-known attack that works by inserting harmful strands of code into an unprotected website or application. XSS is different from other forms of web attacks because it does not target the website or application in question. Rather, these attacks target the individuals using a website or application, which places all users of the chosen system at risk. XSS attacks may put user accounts in jeopardy, allow content to be adjusted, and force users to submit private information and data. This threat has the potential to cause major damage to an online company’s credibility.

 

  • Remote code execution (RCE): Also known as arbitrary code execution, remote code execution refers to an intruder’s capacity to obtain access to a computer system or electronic device and make alterations regardless of where the device in question resides. Unprotected systems are susceptible to hackers with harmful code, which can be used to infiltrate a system or electronic device. After successfully invading the system, attackers usually try to escalate their privileges to take comprehensive control of the system.

 

Additional lower risk security risks addressed in SUPEE-10266 are:

 

  • Unregulated data dispense

 

  • Denial of service

 

Functional repairs:

This release also contains repairs to assist with the overall functioning of the Magento platform, including

 

  • Problems with image refreshment

 

  • Malfunctioning of earlier patches

 

  • Issues encountered when using the one-step checkout method to pay one’s bill.

 

As you can see, SUPEE-10266 contains essential enhancements that can prevent intruders from infiltrating and severely damaging your server and business. Forix advises all Magento users to apply SUPEE-10266 as soon as possible in order to receive security repairs and functional improvements for their Magento markets.

 

Patches are now accessible for several Magento editions. Consider the following options to determine which is right for you.

 

  • For Magento Open Source versions 1.5.0.0-1.9.3.4, either install SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6

 

  • For Magento Commerce editions 1.9.0.0-1.14.3.4, either install SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6

 

Note: To ensure that your latest Magento security patch is installed and working properly, always test the patch in an operational environment prior to positioning it for live use.

 

Despite the security and underlying functional advancements, there are some issues that may arise after the installation of security patch SUPEE-10266. Under some circumstances, SUPEE-10266 may create problems in the payment procedures. For example, using the “add gift” feature in check-out can cause the system to prevent a user from going forward to the next portion of the check-out. This problem can be fixed with the installation of patch SUPEE-10348. However, in order to resolve this issue, you must install SUPEE-10266 first and then proceed to install SUPEE-10348.

 

Merchants encountering this problem can correct it by renewing the following two files to their pre-patched editions:

 

  • app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml

 

  • app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml

 

Get Magento SUPEE-10266 Security Patch Installed Today

 

The professionals at Forix have extensive experience with Magento security patches and can provide assistance to make sure your installation goes smoothly.