>SUPEE 10497 for Magento 1.9.1.1 – Check Right Away

SUPEE 10497 for Magento 1.9.1.1 – Check Right Away

Do you know what is Magento SUPEE? – If not, then you are putting your site under high vulnerability.

Magento team releases SUPEE as the security patches of small pieces of code whenever any security issue with the system is detected. The good practice to install the latest updated Magento SUPEE as soon as you get to know about it, keeping your lovely stores far from security risks.

Want to check whether your Magento is safe, check here.

Today, we will update you on SUPEE 10497 highlights. Merchants using Magento 1.9.1.1, please pay your attention here.

1. LOG file extensions: log, txt, html or csv

app/Mage.php

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php

app/code/core/Mage/Log/Helper/Data.php

Note: when configuring file for system log and exception log, use .log, .txt, .html, or .csv only.

2. Admin indirect logging in

app/code/core/Mage/Admin/Model/Session.php

app/code/core/Mage/Rss/Helper/Data.php

Mage_Rss_Helper_Data::auth Admin will add an additional “indirect_login” flag to the admin session data. By this way, the Mage_Admin_Model_Session can check that flag during the call of the contructor Mage_Admin_Model_Session::logoutIndirect

3. Edit how the “text” content is returned

Note: Functions in use includes escapeHtml and quoteEscape. These two will translate special characters to html so that the cross-site scripting (XSS) can be avoided.

app/design/adminhtml/default/default/template/customer/tab/view.phtml

app/design/adminhtml/default/default/template/notification/toolbar.phtml

app/design/adminhtml/default/default/template/sales/order/view/history.phtml

app/design/adminhtml/default/default/template/sales/order/view/info.phtml

app/design/install/default/default/template/install/create_admin.phtml

app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php

app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php

app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php

app/code/core/Mage/Adminhtml/Block/Review/Add.php

app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php

app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml

app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml

app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml

4. Forced form keys

In the app/code/core/Mage/Adminhtml/controllers/CustomerController.php set form key for the delete action as follow:

app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php

In the app/code/core/Mage/Adminhtml/Controller/Action.php check form key and set action name for forced use form key.

5. Layout update validator

app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

Validate the templates paths for the directory traversal.

6. Newsletter templates cross site scripting

In the app/code/core/Mage/Adminhtml/controllers/Newsletter/QueueController.php check whether the variable “text” exists. Then, if that variable “text” is not in post style, redirect to newsletter_queues action.

In the app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php

check whether the variable “text” exists. Then, if that variable “text” is not in post style, redirect to newsletter_queues action.

In the app/code/core/Mage/Core/Model/Email/Template/Abstract.php make sure that the CSS file is located in the skin directory.

7. Fix bug soap API

app/code/core/Mage/Api/Helper/Data.php

app/code/core/Mage/Api/Model/Server/Adapter/Soap.php

app/code/core/Mage/Api/Model/Wsdl/Config.php

app/code/core/Mage/Api/Model/Wsdl/Config/Base.php

Fix the cache wlsd by adding a md5 string of URL soap and set URL, using the getServiceUrl function.

8. Reordering exploit

app/code/core/Mage/Checkout/controllers/CartController.php

app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php

addgroupAction is updated with checking current customer ID and filtering the order items via customer ID.

9. Unserialize

app/code/core/Mage/Core/Helper/String.php

app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php

app/code/core/Mage/Rule/Model/Abstract.php

Note: Add unserialize string with attribute

10. Remove and change comment text

app/code/core/Mage/Core/etc/config.xml

app/code/core/Mage/Core/etc/system.xml

11. Customer password length limit

app/code/core/Mage/Customer/Model/Customer.php

The maximum length of password is 256 character.

12. Fix a typo in the patch header information

Note: We’ve fixed a typo in the patch header information

app/design/adminhtml/default/default/template/backup/dialogs.phtml

13. Custom option type file

app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml

Note: Allowed File Extensions is required.

14. Login autocomplete

app/design/adminhtml/default/default/template/backup/dialogs.phtml

app/design/adminhtml/default/default/template/login.phtml

app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml

app/design/adminhtml/default/default/template/resetforgottenpassword.phtml

downloader/template/login.phtml

The autocomplete attribute on Firefox will run better by adding one dummy field with type=”password”

It is possible to prevent the browser from autocompleting the password field by defining new password: autocomplete=”off” is replaced by autocomplete=”new-password”

15. Fix dummy field on firefox in password form

js/mage/adminhtml/backup.js

On Firefox, if there is dummy field in any form, it is possible to delete class “required-entry” and vice versa.

16. Fix error: invalid $customerText

app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

Declare the variable $customerText = ” first to ensure that this variable always exists. In the old version, this variable is assigned to “if” and “elseif” so there are cases in which the variable is non-exist.

17. Fix errors relating to zend framework

app/code/core/Zend/Form/Decorator/Form.php

Rewrite the render form function: check unserialize string to remove all characters which are not alphabetic (include “-_;””) and number from name.

lib/Varien/Filter/FormElementName.php

18. Serializer php

app/code/core/Zend/Serializer/Adapter/PhpCode.php

Edit the unserialize function in library zend: declare whether $ret and $opts is an array, if not, return $ret is an empty string.

app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

20. Process image

app/code/core/Mage/Core/Model/File/Validator/Image.php

Note: If this config is not set up, skip the image processing.

21. Password field in login form and registration form

app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml

app/design/install/default/default/template/install/create_admin.phtml

The autocomplete attribute on Firefox will run better by adding one dummy field with type="password"

It is possible to prevent the browser from autocompleting the password field by defining new password: autocomplete=”off” is replaced by autocomplete=”new-password”

22. Add new translations

app/locale/en_US/Mage_Adminhtml.csv app/locale/en_US/Mage_Customer.csv

Add new translations for words used in the patch.

Above are some main points of Magento SUPEE 10497. Please stay stunned with our Magento knowledge base series to get more and more useful information.

< Previous Post
Next Post >