Security Patch SUPEE-9767 Possible Issues | Consider Before Upgrading

The eBay-owned e-commerce development giant, Magento, has widely-released the latest Security Patch SUPEE – 9767.

Magento Security Patch SUPEE-9767 aims to address 16 APPSEC issues but what this basically does is prevent attackers from disabling a configuration protection within the core files after gaining admin access to the site so that they could freely-upload malicious code. It contains a number of new and resourceful updates compared to its predecessor, SUPEE – 9652. A myriad of e-commerce shop owners and merchants (ourselves included) are already looking to integrate this patch and it is not surprising as this update has constantly been tagged as a critical update in Magento Development.

Security Patch SUPEE-9767

It appears that seven of the vulnerabilities score 8.0 or higher for CVSSv3 severity and they are being taken advantage of in the open. To implement this patch onto your site is rather effortless so I guess the question now is: “what are common issues or pitfalls to watch out for when applying SUPEE-9767”?

APPSECS included in Security Patch SUPEE-9767:

  • Remote execution of code by symlinks
  • Remote execution of code in DataFlow
  • Remote execution of code in the Admin panel
  • SQL injection within Visual Merchandiser ( For Enterprise Edition)
  • XSS in Admin panel configuration
  • Bypassing ACLs in Store configuration permission
  • CSRF after logout – form key not invalidated
  • Local File Disclosure for admin users possessing access to dataflow
  • CSRF Vulnerability in the Checkout feature
  • Potential for username enumeration
  • CSRF cache management
  • Customer passwords exposed in logs
  • Vulnerabilities in JavaScript libraries
  • Incorrect request routing
  • Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
Security Patch SUPEE-9767 prevents configuration protection attacks

Here’s our overview of the patch after digging into it.

TIME SAVER : Experius provides a patch helper that helps you finding the files in custom themes, custom modules or local overwrites that also might need to be patched manually, you can find it here:

https://github.com/experius/Magento-1-Experius-Patch-Helper#magento

Checkout form keys

Security patch SUPEE-9767 adds form keys to the following forms:

Shipping cart form:

app/design/frontend/<package>//template/checkout/cart/shipping.phtml

Multi-shipping billing checkout form:

app/design/frontend/<package>//template/checkout/multishipping/billing.phtml

Multi-shipping shipping checkout form:

app/design/frontend/<package>//template/checkout/multishipping/shipping.phtml

Billing checkout form:

app/design/frontend/<package>//template/checkout/onepage/billing.phtml

Shipping checkout form:

app/design/frontend/<package>//template/checkout/onepage/shipping.phtml

Payment checkout form:

app/design/frontend/<package>//template/checkout/onepage/payment.phtml

Shipping method checkout form:

app/design/frontend/<package>//template/checkout/onepage/shipping_method.phtml

Persistent Billing checkout form:

app/design/frontend/<package>//template/persistent/checkout/onepage/billing.phtml

On top of that the following JS files have been updated to be compatible with that change:

  • js/varien/payment.js
  • skin/frontend/base/default/js/opcheckout.js

What to do:

If you’re using with custom versions of those templates you’ll have to update them by adding the following code into them:

php echo $this->getBlockHtml('formkey') ?>

If you’re using a 3rd party checkout module, you’ll have to get in touch with them so they can provide an updated version of their module.

Also if you have custom versions of the previously listed JS files, you’ll have to update them too.

SAVE YOUR TIME:

Fabian Schmengler wrote a nice little script to update all those things for you, you can find it here:

https://gist.github.com/schmengler/c42acc607901a887ef86b4daa7a0445b

!IMPORTANT NOTE:
The checkout form key validation can be changed in the backend via a new config field under System > Configuration > Admin > Security > Enable Form Key Validation On Checkout . THIS IS NOT ENABLED BY DEFAULT so you’ll have to enable it to benefit from this security feature! Note that you’ll get a notice in the backend if it’s not enabled.

Image Upload callback

The image gallery controller has been updated to add a validation callback.

What to do

If you’re using a custom module that does image upload with code that looks like this:

$uploader = new Mage_Core_Model_File_Uploader('image');
$uploader->setAllowedExtensions(array('jpg','jpeg','gif','png'));
$uploader->addValidateCallback('catalog_product_image',
Mage::helper('catalog/image'), 'validateUploadFile');
$uploader->setAllowRenameFiles(true);
$uploader->setFilesDispersion(true);

I strongly suggest you update that code by adding the following piece after it:

$uploader->addValidateCallback(
Mage_Core_Model_File_Validator_Image::NAME,
Mage::getModel('core/file_validator_image'),
'validate'
);

Symlinks

Security patch SUPEE-9767 removes the system configuration field that allows you to allow template symlinks in the backend. It used to be under System > Configuration > Developer > Template > Allow Symlinks . Now the entire Template section is gone.

On top of that, that field is now disabled by default via the app/etc/config.xml

The funny thing here is that you’ll get a notice in the backend if you have that configuration field enabled prior to the patch but you won’t be able to disable it as the field is gone.

Only way of doing it is by running the following SQL query

UPDATE core_config_data SET value = 0 WHERE path = "dev/template/allow_symlink";

Clarification

First, we strongly suggest you check posts that will help you understand the purpose of that Symlink modification (a simple Google search about this would suffice):

What to do: if you’re using modman or composer with template symlinks, you’re gonna face some issues. I’m still trying to find out what’s the best thing to do here apart from dealing with SQL queries.

List of other possible issues with Security Patch SUPEE-9767

Hunk Failed Issues

Note that all those issues could be simply because you modified the original file, to double check that this is not the case:

  • Backup the file where you get the Hunk Failed error
  • Download the original file from your Magento version
  • Compare both files

If files are different you’ll have to apply security patch SUPEE-9767 with the original file then reapply your custom changes the clean way such as:

  • custom template in a custom theme folder
  • local.xml
  • app/code/local file

If files are not different then this is either a permission issue or a “bug” in the patch.

Looking online for a business solution? Look no further.

© Copyright 2009 - 2017 | Made with in the Philippines | Winnovate Digital Marketing™ | All Rights Reserved