Security patch SUPEE – 10266 which is released on September 14, 2017, help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
Please check the main code changes that are included in the Patch 10266 as the following article.
1. Login autocomplete
app/design/adminhtml/default/default/template/backup/dialogs.phtml app/design/adminhtml/default/default/template/login.phtml app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml app/design/adminhtml/default/default/template/resetforgottenpassword.phtml downloader/template/login.phtml
The attribute autocomplete on firefox works well by adding a dummy field with type=”password”.
Prevent the browser from filling automatically in password fields by specifying a new password: autocomplete=”off” instead of autocomplete=”new-password”.
2. Injection escape
app/design/adminhtml/default/default/template/customer/tab/view.phtml app/design/adminhtml/default/default/template/notification/toolbar.phtml app/design/adminhtml/default/default/template/sales/order/view/history.phtml app/design/adminhtml/default/default/template/sales/order/view/info.phtml app/design/install/default/default/template/install/create_admin.phtml app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
Some dynamic contents have been called through by the escapeHtml method instead of calling it directly.
3. Forced form keys
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php app/code/core/Mage/Adminhtml/Controller/Action.php app/code/core/Mage/Adminhtml/controllers/CustomerController.php
Every delete action is now updated with a “form key”.
4. Admin indirect logging in
Mage_Rss_Helper_Data::authAdmin will add an additional “indirect_login” flag to the admin session data. By this way the Mage_Admin_Model_Session will check for that flag during the contructor call with Mage_Admin_Model_Session::logoutIndirect method.
5. Layout update validator
Validate the templates paths for the directory traversal.
6. Newsletter templates cross site scripting
dropAction will receive data which is pushed by POST type.
Make sure that your email template css file is located in the skin directory.
7. Image processing
The image processing was added in SUPEE-9767 patch is now optional.
You may be disable it by setting the config general/reprocess_images/active to 0 but not via the admin panel, you can directly fix this config by set this value in database.
8. Reordering exploit
addgroupAction is updated with checking current customer ID and filtering the order items via customer ID.
9. Serializer php
Edit the function unserialize in library zend: declaring $ret and $opts is an array, if it is not an array, return $ret is an empty string.
10. Custom option type file
Allowed File Extensions is required.