Magento Releases New Security Patch Bundle

Posted on the 28th October 2015

The developers of Magento have released a new security patch bundle, SUPEE-6788, which is available for both the Magento Enterprise version 1.14.2.2 and the Community Edition 1.9.2.2.

This patch bundle addresses a number of security problems, however it makes some extensive changes to the code base as well, which could cause backward compatibility issues and break some extensions and customisations. The main potential problems are:

Custom Admin URLS

The patch fixes a problem regarding bypassing custom admin URLs. If a module has admin functionality, but this functionality is not offered using the admin URL, then it will no longer work. Any modules that offer admin functionality and any links to admin modules, must be updated to have /admin/ in their URLs.

SQL Injections

There have been several improvements made to the way in which SQL statements are processed. These mean that modules may require change with regard to the generation of filters and queries.

Template Processing

There is now a whitelist of blocks and directives which can be accessed by templates and extensions. This whitelist is designed to prevent extensions from accessing private information to which they should not have access. Blog extensions and other content-management focused extensions may need updated to work around this. Alternatively as a website owner, you can now add blocks and directives to the whitelist manually, if you are confident that those blocks are important for the functionality of the extension.

Saving as a PHP Object

Some customisations would save custom product options as a PHP object. Because of security flaws with this method, saving information in this way is no longer an option, and such extensions will no longer work.

Before you install SUPEEE-6788, check your existing extensions and modifications to make sure that they will still work and if any of them will break, look for replacements. While it may be tempting to simply avoid the issue of broken extensions, there are several critical security updates in this bundle, and it is important that store owners install it. Legacy extensions which rely upon techniques which are not considered best practice are a ticking time bomb for your store, and if you leave it un-patched it is only a matter of time before your store is targeted by opportunists.

The SUPEE-6788 patch is available free of charge to all users of Magento, and full installation instructions are published on the Magento website.