The giant in E-commerce development- Magento has released the latest security patch. This patch is named as SUPEE – 9767. It has a lot of new and resourceful updates as compared to its predecessor, SUPEE – 9652. A lot of online store owners and merchants are already lining up to install this patch, and it is not at all a shocking news as this update is highly important in Magento Development.
The new upgrade of patches is available for the following versions of Magento:
Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3
This patch addresses the following Magento Development issues:
Zend framework, vulnerabilities related to payment.
Ensure sessions will be invalidated after logout by the user.
Several other security enhancements.
Before you install the patch, check if the old patches were installed correctly. Some of the patches depend on the patches that are already installed. Magereport can be used to check the current patches in your site.
Magento development experts advice to make sure a few things before applying the patch. It is recommended that you disable the Symlinks setting before upgrading to this latest release. You can disable at: System > Configuration > Advanced > Developer > Enable Symlinks. If this setting is enabled, it will override the configuration of file settings and to change it, you will require direct database modification.
The following APPSECS are included in this update:
-
Remote execution of code by symlinks
-
Remote execution of code in DataFlow
-
Remote execution of code in the Admin panel
-
SQL injection within Visual Merchandiser ( For Enterprise Edition)
-
XSS in Admin panel configuration
-
XSS in data fields
-
Bypassing ACLs in Store configuration permission
-
CSRF after logout – form key not invalidated
-
Local File Disclosure for admin users possessing access to dataflow
-
CSRF Vulnerability in the Checkout feature
-
Potential for username enumeration
-
CSRF cache management
-
Customer passwords exposed in logs
-
Vulnerabilities in JavaScript libraries
-
Incorrect request routing
-
Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
How to install the Magento Security Patch SUPEE – 9767:
The upgraded patch can be downloaded from the Downloads page of Magento as usual, or can be installed via Downloader. To apply the new patch, SSH access to the server is required.
Here is a step by step installation guide:
Step 1: Verify your current Magento Version.
Step 2: Download the corresponding Security Patch.
Step 3: Disable the Symlinks Settings as discussed above.
Step 4: Place the patches into the Magento Root Directory.
Step 5: Run the placed patches.
Step 6: Verify and flush Magento PHP opcode cache.
Thus you can successfully install the newest security patch and update the security features of your Magento Version.
After successful installation:
Once the patch is successfully installed, check that all Shipping, Payment, CMS and landing pages can be loaded properly, without facing any issues.
Challenges involved:
If you have PHP version older than 5.6, you won’t be able to access Magento Admin. It happens because of the function hash_equals() that came along with PHP 5.6 version.
If you applied the patch SUPEE – 1533 before, this patch will fail on: app/code/core/Mage/Adminhtml/controllers/DashboardController.php.
If you have any queries regarding this Security Patch or any other Magento Development related help, contact our Magento Developers.
Read our Older post on : Magento Security Patch SUPEE-8788
