Do you know what is Magento SUPEE? – If not, then you are putting your site under high vulnerability.
Magento team releases SUPEE as the security patches of small pieces of code whenever any security issue with the system is detected. The good practice to install the latest updated Magento SUPEE as soon as you get to know about it, keeping your lovely stores far from security risks.
Want to check whether your Magento is safe, check here.
Today, we will update you on SUPEE 10497 highlights. Merchants using Magento 1.9.1.1, please pay your attention here.
1. LOG file extensions: log, txt, html or csv
app/Mage.php app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php app/code/core/Mage/Log/Helper/Data.php
Note: when configuring file for system log and exception log, use .log, .txt, .html, or .csv only.
2. Admin indirect logging in
app/code/core/Mage/Admin/Model/Session.php app/code/core/Mage/Rss/Helper/Data.php
Mage_Rss_Helper_Data::auth Admin will add an additional “indirect_login” flag to the admin session data. By this way, the Mage_Admin_Model_Session can check that flag during the call of the contructor Mage_Admin_Model_Session::logoutIndirect
3. Edit how the “text” content is returned
Note: Functions in use includes escapeHtml and quoteEscape. These two will translate special characters to html so that the cross-site scripting (XSS) can be avoided.
app/design/adminhtml/default/default/template/customer/tab/view.phtml app/design/adminhtml/default/default/template/notification/toolbar.phtml app/design/adminhtml/default/default/template/sales/order/view/history.phtml app/design/adminhtml/default/default/template/sales/order/view/info.phtml app/design/install/default/default/template/install/create_admin.phtml app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php app/code/core/Mage/Adminhtml/Block/Review/Add.php app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml
4. Forced form keys
In the app/code/core/Mage/Adminhtml/controllers/CustomerController.php set form key for the delete action as follow:
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
In the app/code/core/Mage/Adminhtml/Controller/Action.php check form key and set action name for forced use form key.
5. Layout update validator
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
Validate the templates paths for the directory traversal.
6. Newsletter templates cross site scripting
In the app/code/core/Mage/Adminhtml/controllers/Newsletter/QueueController.php check whether the variable “text” exists. Then, if that variable “text” is not in post style, redirect to newsletter_queues action.
In the app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
check whether the variable “text” exists. Then, if that variable “text” is not in post style, redirect to newsletter_queues action.
In the app/code/core/Mage/Core/Model/Email/Template/Abstract.php make sure that the CSS file is located in the skin directory.
7. Fix bug soap API
app/code/core/Mage/Api/Helper/Data.php app/code/core/Mage/Api/Model/Server/Adapter/Soap.php app/code/core/Mage/Api/Model/Wsdl/Config.php app/code/core/Mage/Api/Model/Wsdl/Config/Base.php
Fix the cache wlsd by adding a md5 string of URL soap and set URL, using the getServiceUrl function.
8. Reordering exploit
app/code/core/Mage/Checkout/controllers/CartController.php app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
addgroupAction is updated with checking current customer ID and filtering the order items via customer ID.
9. Unserialize
app/code/core/Mage/Core/Helper/String.php app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php app/code/core/Mage/Rule/Model/Abstract.php
Note: Add unserialize string with attribute
10. Remove and change comment text
app/code/core/Mage/Core/etc/config.xml app/code/core/Mage/Core/etc/system.xml
11. Customer password length limit
app/code/core/Mage/Customer/Model/Customer.php
The maximum length of password is 256 character.
12. Fix a typo in the patch header information
Note: We’ve fixed a typo in the patch header information
app/design/adminhtml/default/default/template/backup/dialogs.phtml
13. Custom option type file
app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml
Note: Allowed File Extensions is required.
14. Login autocomplete
app/design/adminhtml/default/default/template/backup/dialogs.phtml app/design/adminhtml/default/default/template/login.phtml app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml app/design/adminhtml/default/default/template/resetforgottenpassword.phtml downloader/template/login.phtml
The autocomplete attribute on Firefox will run better by adding one dummy field with type=”password”
It is possible to prevent the browser from autocompleting the password field by defining new password: autocomplete=”off” is replaced by autocomplete=”new-password”
15. Fix dummy field on firefox in password form
js/mage/adminhtml/backup.js
On Firefox, if there is dummy field in any form, it is possible to delete class “required-entry” and vice versa.
16. Fix error: invalid $customerText
app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php
Declare the variable $customerText = ” first to ensure that this variable always exists. In the old version, this variable is assigned to “if” and “elseif” so there are cases in which the variable is non-exist.
17. Fix errors relating to zend framework
app/code/core/Zend/Form/Decorator/Form.php
Rewrite the render form function: check unserialize string to remove all characters which are not alphabetic (include “-_;””) and number from name.
lib/Varien/Filter/FormElementName.php
18. Serializer php
app/code/core/Zend/Serializer/Adapter/PhpCode.php
Edit the unserialize function in library zend: declare whether $ret and $opts is an array, if not, return $ret is an empty string.
19. Renew secure cookie expiration time if secure id did not change
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
20. Process image
app/code/core/Mage/Core/Model/File/Validator/Image.php
Note: If this config is not set up, skip the image processing.
21. Password field in login form and registration form
app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml app/design/install/default/default/template/install/create_admin.phtml The autocomplete attribute on Firefox will run better by adding one dummy field with type="password"
It is possible to prevent the browser from autocompleting the password field by defining new password: autocomplete=”off” is replaced by autocomplete=”new-password”
22. Add new translations
app/locale/en_US/Mage_Adminhtml.csv app/locale/en_US/Mage_Customer.csv
Add new translations for words used in the patch.
Above are some main points of Magento SUPEE 10497. Please stay stunned with our Magento knowledge base series to get more and more useful information.
