>Magento Patches: The main code changes in the Patch 10266

Magento Patches: The main code changes in the Patch 10266

Security patch SUPEE – 10266 which is released on September 14, 2017, help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.

Please check the main code changes that are included in the Patch 10266 as the following article.

1. Login autocomplete

app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/login.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
downloader/template/login.phtml

The attribute autocomplete on firefox works well by adding a dummy field with type=”password”.

Prevent the browser from filling automatically in password fields by specifying a new password: autocomplete=”off” instead of autocomplete=”new-password”.

2. Injection escape

app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/notification/toolbar.phtml
app/design/adminhtml/default/default/template/sales/order/view/history.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php

Some dynamic contents have been called through by the escapeHtml method instead of calling it directly.

3. Forced form keys

app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php

Every delete action is now updated with a “form key”.

4. Admin indirect logging in

app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Rss/Helper/Data.php

Mage_Rss_Helper_Data::authAdmin will add an additional “indirect_login” flag to the admin session data. By this way the Mage_Admin_Model_Session will check for that flag during the contructor call with Mage_Admin_Model_Session::logoutIndirect method.

5. Layout update validator

app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

Validate the templates paths for the directory traversal.

6. Newsletter templates cross site scripting

app/code/core/Mage/Adminhtml/controllers/Newsletter/QueueController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php

dropAction will receive data which is pushed by POST type.

app/code/core/Mage/Core/Model/Email/Template/Abstract.php

Make sure that your email template css file is located in the skin directory.

7. Image processing

app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/Model/Email/Template/Abstract.php

The image processing was added in SUPEE-9767 patch is now optional.

You may be disable it by setting the config general/reprocess_images/active to 0 but not via the admin panel, you can directly fix this config by set this value in database.

8. Reordering exploit

app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php

addgroupAction is updated with checking current customer ID and filtering the order items via customer ID.

9. Serializer php

app/code/core/Zend/Serializer/Adapter/PhpCode.php

Edit the function unserialize in library zend: declaring $ret and $opts is an array, if it is not an array, return $ret is an empty string.

10. Custom option type file

app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml

Allowed File Extensions is required.

< Previous Post
Next Post >