Magento Security Patch SUPEE-6788 Update

The Magento Security Patch SUPEE-6788 Update was released on October 27, 2015 to repair multiple vulnerabilities revealed by recent attacks. This patch is also included in the latest Magento Commerce and Open Source editions. Forix recommends vendors install this update today to remove multiple security risks. Learn more about what security issues were repaired and how Forix can help with installation.

Benefits of Magento Security Patch SUPEE-6788 Update

Security upgrades in the Magento Security Patch SUPEE-6788 Update protect stores from several security issues, including:

  • Error Reporting Exposes Configuration (APPSEC-1102)
  • Filter Directives Allows Access to Data (APPSEC-1057)
  • XXE/XEE Attack (APPSEC-1045)
  • Possible SQL Injection in Magento Core (APPSEC-1063)
  • Potential Remote Code Execution (APPSEC-1037)
  • File Custom Option Leaks Information (APPSEC-1079)
  • Cross-site Scripting Errors (APPSEC-1039/APPSEC-1228)
  • Error Reports/Downloaded Projects Remote Code (APPSEC-1032)
  • Disclosure of Admin Path (APPSEC-1034)
  • Vulnerability in Password Reset (APPSEC-1027)
  • Dev Folder Unprotected (APPSEC-1124)
  • Cross-site Scripting/Caching Poison (APPSEC-1030)

Release Information

The Magento Security Patch SUPEE-6788 Update fixes multiple security issues revealed in recent attacks. This includes setup errors exposing data, filter directives allowing access to encrypted data, and an XXE/XEE attack on Zend XML functionality.

Forix encourages vendors to always use best practices regarding the security of their sites. They also recommend vendors keep their site updated and to watch for new patches.

Installation

For patch downloading, Forix recommends the following options:

  • Partners
    Partners should go to the Partner Portal, find and select Technical Resources, then choose Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support to find the “Security Patches – October 2016” folder.
  • Magento Commerce Edition Vendors
    Commerce Edition vendors should go to My Account, choose the Downloads tab, and find Magento Commerce Edition > Support patches. Find the “Security Patches – October 2015” folder to get the latest patch. Vendors can upgrade to the most recent Commerce Edition, which has all of the security fixes included.
  • Magento Open Source Edition Vendors
    Open Source Edition vendors can find patches for previous versions of Magento Open Source Edition on the download page (search for SUPEE-6788). Vendors who choose to upgrade to the most recent Open Source Edition version will have the security fixes included in the upgrade.

Issues Addressed

Learn more about the risks addressed by Magento Security Patch SUPEE-6788 Vulnerability Update below.

  1. Error Reporting Exposes Configuration (APPSEC-1102) – Risk Rating: 7.5 (High)
    Error messages during installation of Magento or an extension can reveal configuration and database access credentials.
  2. Filter Directives Allows Access to Data (APPSEC-1057) – Risk Rating: 7.5 (High)
    An email template filter could call blocks and reveal customer data, including recent orders and passwords.
  3. XXE/XEE Attack (APPSEC-1045) – Risk Rating: 7.5 (High)
    An attacker can force Magento to read XML via API contacts that contain local files references. This could expose passwords or configuration files.

Install the Magento Security Patch SUPEE-6788 Update Today

Forix urges all merchants to upgrade to the latest versions of Magento products or install the Magento Security Patch SUPEE-6788 Update today. Your site will be fully protected against a series of new threats. Forix offers help in installation to ensure a smooth process. Upgrade now to protect your store.

Resources:
https://magento.com/security/patches/supee-6788