Magento Security Patch SUPEE-7405

The Magento security patch SUPEE-7405 was released on February 23, 2016 to patch multiple issues in the initial software release. This patch updated both Magento Commerce and Open Source editions. Vendors should download this update as soon as possible to ensure smooth operation provided by the fixes. Read further for details regarding what was addressed and ways to get help if necessary.

Benefits of Magento Security Patch SUPEE-7405

Security upgrades in SUPEE-7405 v 1.1, Open Source 1.9.2.4, and Magento Commerce 1.14.2.4 repairs several vulnerabilities including:

  • Cart Merge Patch (SUPEE-7978)
  • SOAP API Patch (SUPEE-7822)
  • PHP 5.3 Compatibility (SUPEE-7882)
  • Upload File Permissions
  • XSS Attack Via Email Address
  • XSS Attack Via Comments

Release Information

Forix recommends vendors install the SUPEE-7405 v 1.1 patch or upgrade to Commerce version 1.14.2.4 or Open Source version 1.9.2.4.

Prior to installing the SUPEE-7405 v 1.1 patch bundle, vendors must install SUPEE-7405 v 1.0 patch if they are using a previous version of Magento Commerce 1.14.2.3 or Open Source 1.9.2.3.

Vendors running Magento Commerce 1.14.2.3 or Open Source 1.9.2.3 or who have already installed security patch SUPEE-7405 v 1.0 in an earlier version of Open Source do not need to install this patch.

Issues Addressed

Read on for a list of the issues or risks addressed by Magento Security Patch SUPEE-7405.

  1. Cart Merge Patch (SUPEE-7978)
    This patch allows customers to merge shopping carts with identical items successfully. Prior to this, when a customer merged one cart with an item and another cart with the same item, Magento failed to merge the cart totals accurately. This patch allows the cart to show only one item with the correct totals.
  2. SOAP API Patch (SUPEE-7822)
    This patch allows the SOAP API to function as intended with the initial release. During the SUPEE-7405 v 1.0 patch, an API request would result in a 500 error, with Magento noting an exception in the log.
  3. PHP 5.3 Compatibility (SUPEE-7882)
    For earlier Magento versions, this patch remained incompatible with PHP 5.3. Vendors who faced this problem could not see sales data in the Admin. This patch addresses that issue.
  4. Upload File Permissions
    The original SUPEE-7405 patch prevented many vendors from seeing uploaded product images for some hosting provider set-ups because the patch tightened permissions. Magento Security Patch SUPEE-7405 v 1.1 fixes this issue, restoring reduced restrictions on file permissions (0666 for files and 0777 for directories).
  5. APPSEC-1213: Stores XSS Via Email Address – Risk Rating: 9.3 (Critical)
    During customer registration, users could give an email address that contained JavaScript code. Magento previously failed to validate this email properly, executing it when viewing it in the Admin backend. This allowed the user to steal an Admin login for one session or impersonate the vendor’s store administrator.

Updating Magento

Patches or upgrades can be found for the following versions of Magento:

  • Magento Commerce 1.9.0.0-1.14.2.3: SUPEE-7405 v 1.1 or upgrade to Commerce 1.14.2.4
  • Magento Open Source 1.5.0.0-1.9.2.3: SUPEE-7405 v 1.1 or upgrade to Open Source 1.9.2.4

Install the Magento Security Patch SUPEE-7405 Today

To address the issues our customers have brought to our attention, Forix urges vendors to install the Magento Security Patch SUPEE-7405 immediately. Your site will benefit from increased functionality and security and you can trust Forix when we say the installation will be trouble-free. Upgrade today to get the current fixes, tools, and security updates.

Resources:
https://magento.com/security/patches/supee-7405