Magento Security Patch SUPEE-6482

The Magento Security Patch SUPEE-6482 bundle was released on August 4, 2015 to repair multiple problems revealed by recent security compromises. The latest Magento Commerce and Open Source editions include this security patch. Vendors using older versions of Magento products should install this update to address several risks.

Benefits of Magento Security Patch SUPEE-6482 Bundle

The Security Patch SUPEE-6482 bundle was released to provide protection from numerous security risks, including:

  • SSRF Vulnerability in WSDL File (APPSEC-1020)
  • SOAP API Autoloaded File Inclusion (APPSEC-1019)
  • Cross-site Scripting Errors/Poisoning (APPSEC-1030)
  • Cross-site Scripting: Gifting Registry (APPSEC-1022)

Release Information

The Magento Security Patch SUPEE-6482 bundle addressed multiple security problems. This includes attacks using encoding errors of passwords, faulty validation of SOAP API requests, leaks by non-validated host headers, and more.

Forix urges developers to make use of industry best practices regarding security. Developers should update their site regularly and stay up-to-date with new patches.

Installation

To download the Magento Security Patch SUPEE-6482 bundle:

  • Partners
    Partners must navigate to their portal, choose Technical Resources, and click Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support and find the folder named “Security Patches – July 2015.”
  • Magento Commerce Edition Vendors
    Vendors running the Magento Commerce Edition need to access the My Account page, click Downloads, and look for Magento Commerce Edition > Support patches. Find the “Security Patches – July 2015” folder to download the latest patch. Upgrading to the most recent version of Commerce Edition provides the same protection.
  • Magento Open Source Edition Vendors
    Open Source Edition vendors should search on the download page for security patches to previous versions of Magento Open Source Edition (search for SUPEE-6285). Vendors choosing to upgrade to the most recent Open Source Edition do not need to install this patch bundle.

Issues Addressed

Below is a list of issues addressed in the Magento Security Patch SUPEE-6482 bundle:

  1. Cross-site Scripting Errors/Poisoning (APPSEC-1030) – Risk Rating: 9.3 Critical
    Non-validated host headers leak information, posing a risk to all customers as HTML or JavaScript code could be injected into that data. The attack allows a user to intercept sessions or inject a fake credit card page form. This affects a limited set of specific server configurations for Commerce editions only.
  2. Cross-site Scripting: Gifting Registry (APPSEC-1022) – Risk Rating: 9.3 Critical
    Attackers can exploit vulnerabilities in cross-site scripting by attacking un-escaped search parameters to steal customer logins. This attack allows them to steal cookies and impersonate users. This affects Commerce editions only.
  3. SOAP API Autoloaded File Inclusion (APPSEC-1019) – Risk Rating: 6.5 Medium
    When a SOAP API request is incorrectly validated, an exploit exists that allows attacker to auto-load code into the servers. Attackers first login with API credentials. After that, if certain PHP versions and/or configuration settings are present, the attacker can load code remotely.
  4. SSRF Vulnerability in WSDL File (APPSEC-1020) – Risk Rating: 5.3 Medium
    Attackers can probe internal network resources or place files in the directory by exploiting the incorrect encoding present in the API passwords.

Download the Magento Security Patch SUPEE-6482 Bundle Today

Install the Magento Security Patch SUPEE-6482 bundle now to ensure maximum protection of your storefront. Forix stands ready to help you with this installation and has the expertise to ensure a smooth installation.

Resources:
https://magento.com/security/patches/supee-6482