The latest update to version 1 of Magento includes many general updates and fixes to make the merhcant experience better than ever, while using the popular e-commerece platform.
However, we at Foregenix are more concerned about the security implications and whether previously identified flaws have been corrected. The main technical patch is SUPEE-7405 which will be discussed today. These patches affect Magento Community Edition prior to v188.8.131.52, and Magento Enterprise Edition prior to v184.108.40.206. Updating to these versions is highly recommended.
The main issues to have been fixed include:
- Stored XSS via email address - APPSEC-1213
- Stored XSS in Order Comments - APPSEC-1239
- Stored XSS in Order - APPSEC-1260
- Guest order view protection code vulnerable to brute-force attack - APPSEC-1270
- The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.
- Malicious files can be upload via backend - APPSEC-1306
- An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.
For help installing patching, go to our other FAQ: here
The fixes here are only a handful of the issues that have been identified and fixed by the Magento development teams. For more information on this update and all other updates, visit Magento's blog: https://magento.com/security/patches/supee-7405