The giant in E-commerce development- Magento has released the latest security patch. This patch is named as SUPEE – 9767. It has a lot of new and resourceful updates as compared to its predecessor, SUPEE – 9652. A lot of online store owners and merchants are already lining up to install this patch, and it is not at all a shocking news as this update is highly important in Magento Development.
The new upgrade of patches is available for the following versions of Magento:
Enterprise Edition 18.104.22.168-22.214.171.124: SUPEE-9767 or upgrade to Enterprise Edition 126.96.36.199
Community Edition 188.8.131.52-184.108.40.206: SUPEE-9767 or upgrade to Community Edition 220.127.116.11
This patch addresses the following Magento Development issues:
Zend framework, vulnerabilities related to payment.
Ensure sessions will be invalidated after logout by the user.
Several other security enhancements.
Before you install the patch, check if the old patches were installed correctly. Some of the patches depend on the patches that are already installed. Magereport can be used to check the current patches in your site.
Magento development experts advice to make sure a few things before applying the patch. It is recommended that you disable the Symlinks setting before upgrading to this latest release. You can disable at: System > Configuration > Advanced > Developer > Enable Symlinks. If this setting is enabled, it will override the configuration of file settings and to change it, you will require direct database modification.
The following APPSECS are included in this update:
Remote execution of code by symlinks
Remote execution of code in DataFlow
Remote execution of code in the Admin panel
SQL injection within Visual Merchandiser ( For Enterprise Edition)
XSS in Admin panel configuration
XSS in data fields
Bypassing ACLs in Store configuration permission
CSRF after logout – form key not invalidated
Local File Disclosure for admin users possessing access to dataflow
CSRF Vulnerability in the Checkout feature
Potential for username enumeration
CSRF cache management
Customer passwords exposed in logs
Incorrect request routing
Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
How to install the Magento Security Patch SUPEE – 9767:
The upgraded patch can be downloaded from the Downloads page of Magento as usual, or can be installed via Downloader. To apply the new patch, SSH access to the server is required.
Here is a step by step installation guide:
Step 1: Verify your current Magento Version.
Step 2: Download the corresponding Security Patch.
Step 3: Disable the Symlinks Settings as discussed above.
Step 4: Place the patches into the Magento Root Directory.
Step 5: Run the placed patches.
Step 6: Verify and flush Magento PHP opcode cache.
Thus you can successfully install the newest security patch and update the security features of your Magento Version.
After successful installation:
Once the patch is successfully installed, check that all Shipping, Payment, CMS and landing pages can be loaded properly, without facing any issues.
If you have PHP version older than 5.6, you won’t be able to access Magento Admin. It happens because of the function hash_equals() that came along with PHP 5.6 version.
If you applied the patch SUPEE – 1533 before, this patch will fail on: app/code/core/Mage/Adminhtml/controllers/DashboardController.php.
If you have any queries regarding this Security Patch or any other Magento Development related help, contact our Magento Developers.
Read our Older post on : Magento Security Patch SUPEE-8788