Security patch SUPEE – 10266 which is released on September 14, 2017, help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
Please check the main code changes that are included in the Patch 10266 as the following article.
1. Login autocomplete
app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/login.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
downloader/template/login.phtml
The attribute autocomplete on firefox works well by adding a dummy field with type=”password”.
Prevent the browser from filling automatically in password fields by specifying a new password: autocomplete=”off” instead of autocomplete=”new-password”.
2. Injection escape
app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/notification/toolbar.phtml
app/design/adminhtml/default/default/template/sales/order/view/history.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
Some dynamic contents have been called through by the escapeHtml method instead of calling it directly.
3. Forced form keys
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
Every delete action is now updated with a “form key”.
4. Admin indirect logging in
app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Rss/Helper/Data.php
Mage_Rss_Helper_Data::authAdmin will add an additional “indirect_login” flag to the admin session data. By this way the Mage_Admin_Model_Session will check for that flag during the contructor call with Mage_Admin_Model_Session::logoutIndirect method.
5. Layout update validator
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.phpValidate the templates paths for the directory traversal.
6. Newsletter templates cross site scripting
app/code/core/Mage/Adminhtml/controllers/Newsletter/QueueController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
dropAction will receive data which is pushed by POST type.
app/code/core/Mage/Core/Model/Email/Template/Abstract.phpMake sure that your email template css file is located in the skin directory.
7. Image processing
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/Model/Email/Template/Abstract.php
The image processing was added in SUPEE-9767 patch is now optional.
You may be disable it by setting the config general/reprocess_images/active to 0 but not via the admin panel, you can directly fix this config by set this value in database.
8. Reordering exploit
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
addgroupAction is updated with checking current customer ID and filtering the order items via customer ID.
9. Serializer php
app/code/core/Zend/Serializer/Adapter/PhpCode.phpEdit the function unserialize in library zend: declaring $ret and $opts is an array, if it is not an array, return $ret is an empty string.
10. Custom option type file
app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtmlAllowed File Extensions is required.
Thanks for share this blog. Really this is the good site for us.
We’re glad that BSSConfluence is helpful. Feel free to take a tour around for more.
Regards.