Have you got a business-objective?

We have a solution.

Get a consultation right now!

contact us

request a quote
Enter your name
Your contact number
Enter your message
Natalya Brinza Project Manager
artjoker blog your guide for reaching success
in the online-business

What Magento Patches to Install to Get Your Webstore Protected?

Let's start off with the “patch” definition. Patches are pieces of software that are designed for fixing or improving computer programs, software, websites or supporting data. These extensions are needed for fixing security vulnerabilities and other bugs, and improving usability or performance. It is important to use only well-designed patches; poor ones may introduce even new problems.

In open-source projects, such as Magento Community, published patches fix particular problems and add certain functionality (erg. support for local languages outside the project locale). Also, there are security patches that are applied to prevent a threat's capability when exploiting a specific vulnerability.

Let's see the security bundles that are used for protection against various security-related problems.

So, what are the issues these patches below prevent?

SUPEE-6285 prevents the following vulnerabilities:

    • Customer's information leak via RSS and Privilege Escalation. Because of improper check for authorized URL, leaked information simplifies attack on guest Order Review by exposing customer email, shipping and billing address.
    • Cross-site request forgery in Magento Connect that leads to code execution
    • Cross-site scripting in wish list
    • Cross-site scripting in cart
    • Cross-site scripting in admin
    • Store path disclosure
    • Cross-site scripting in orders RSS

Magento Patches to Instal

The next patch, SUPEE-6788, also provides protection against several security-related vulnerabilities such as:

    • Error reporting in setup that exposes configuration
    • Filter directives that allow access to protected data
    • XEE/XEE attack on Zend XML functionality using multibyte payloads
    • Potential remote code execution using Cron
    • Information leak using file custom option
    • Cross-site Scripting with error messages
    • Admin path disclosure
    • Insufficient protection of password reset process
    • Not protected dev folder

The next, SUPEE-5994, is a bundle of several patches that resolve such problems as:

  • Admin path disclosure
  • Customer address leak through checkout and recurring profile
  • Local path file disclosure by media cache
  • Cross-site scripting using Magento Downloader and Authorize.Net direct post module
  • Spreadsheet formula injection

SUPEE-6482 patch bundle

also protects your Magento installation against several potential threats. It includes patches applied to both Magento Community and Magento Enterprise installations. This extension is a great preventative measure, because there are no known attacks at this time. It includes autoloaded file inclusion in Magento SOAP API and SSRF Vulnerability in WSDL file.

Patch SUPEE-5344

addresses a specific RCE vulnerability that is known as the “shoplift” bug because hackers can obtain Admin access to a store. Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.

In open-source projects, such as Magento Community, published patches fix particular problems and add certain functionality (erg. support for local languages outside the project locale). Also, there are security patches that are applied to prevent a threat's capability when exploiting a specific vulnerability.

Download the book by Artjoker for free, level up your web store!
Enter your name
Enter your email
Thank you! The book has been sent on your e-mail. Have a good reading.
Subscribe and receive regularly your portion of useful articles for internet-business development!
Enter your name
E-mail

More than 15 500 people have already subscribed!