How to check which modules are affected by security patch SUPEE-6788

65

23

On October 27, 2015, Magento has released security patch SUPEE-6788. According to the technical details, 4 APPSEC's that have been fixed require some rework in local and community modules:

  • APPSEC-1034, addressing bypassing custom admin URL (disabled by default)
  • APPSEC-1063, addressing possible SQL injection
  • APPSEC-1057, template processing method allows access to private information
  • APPSEC-1079, addressing potential exploit with custom option file type

I was wondering how to check which modules are affected by this security patch.

I came up with the following partial solution:

  • APPSEC-1034: search for <use>admin</use> in the config.xml of all local and community modules. I think this should list all modules affected by this issue.
  • APPSEC-1063: search for addFieldToFilter('( and addFieldToFilter('` in all PHP files of local and community modules. This is incomplete, as variables can also be used.
  • APPSEC-1057: search for {{config path= and {{block type= in all PHP files of local and community modules, and filter out all elements from the whitelist. This is incomplete, as it does not contain any template variables added by admins, however.
  • APPSEC-1079: no idea.

There is also a list of extensions that are vulnerable for APPSEC-1034 and APPSEC-1063 compiled by Peter Jaap Blaakmeer

Aad Mathijssen

Posted 2015-10-21T15:32:43.457

Reputation: 1 166

I have no idea how to contact @PeterJaapBlaakmeer but I have an extension that needs added to the list: FreeLunchLabs ConstantContact for the admin url issue – David Wilkins – 2015-10-21T16:15:59.440

I believe 1079 would be a serialize or unserialize in a custom option. Something like serialize($options) a possible example: http://magento.stackexchange.com/a/4198/69 Also worth checking out also: https://owasp.github.io/AppSec-Browser-Bundle/

– B00MER – 2015-10-21T16:36:25.337

There is no patch yet for download on https://www.magentocommerce.com/download So where do you guys get this info about future patches and updates? So that next time I can check before patches are released.

– zitix – 2015-10-21T16:59:15.603

6who came up with some of these solutions? Suddenly there's going to be a block type and variable whitelist? Upgrading Magento has always been a pain, but good job to Magento for making it even more of a pain. – Agop – 2015-10-21T21:45:38.080

6Heh, Magento, the gift that keeps on giving. I just finished upgrading ALL the modules for 1.9.2.1 compatibility. Bet module developers are just jumping for joy or running screaming for the hills. – Fiasco Labs – 2015-10-22T03:11:15.913

3at this moment patch postponed for next week - postpone the security patch release until early next week and modify the patch so that the admin routing changes are turned off by default. This means that the patch will include the fix, but that it will be disabled when installed. The new release date and changes to the patch will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it. – FireBear – 2015-10-22T07:01:29.910

If anyone need, we have written a small tuto on how to update your module to fix your custom admin routes: http://www.digital-pianism.com/en/blog/how-to-update-modules-before-magento-patch-supee-6788/

– Raphael at Digital Pianism – 2015-10-22T16:53:21.470

Is there really no way of addressing these vulnerabilities without such major backwards incompatibility? I feel like someone found an imperfection in the paint and used a hammer to smooth it out. – Agop – 2015-10-22T18:47:43.107

Please wait for more information in official announcement. We are working on improving the backward incompatibility of patch. – Piotr Kaminski – 2015-10-21T16:34:01.170

OK, thanks for the reply. BTW I think the config path whitelist in the technical details is incomplete: trans_email/ident_general/email, trans_email/ident_support/email and trans_email/ident_support/name are missing. – Aad Mathijssen – 2015-10-22T10:57:03.620

APPSEC-1063 will mean that code like follows does not work: $collection-&gt;addFieldToFilter('field', array('eq' =&gt; 3));

What happens if there is an intentional need for the backtick? I know a magento instance with an attribute called drop which needs backticked to escape it as drop is a reserved mysql word. – Luke Rodgers – 2015-10-22T12:26:45.127

Unfortunately no: with variables you get access to things like PayPal password or block of recent orders. And we have seen them being processed based on customer input. With admin routing, it helps stops automated large scale attacks like the recent Guruincsite. – Piotr Kaminski – 2015-10-23T22:11:50.047

1

PATCH has been released https://magento.com/security/patches/supee-6788-technical-details

– Muk – 2015-10-27T18:07:11.003

@PiotrKaminski So, why a whitelist instead of a blacklist? It sounds like you've identified some blocks and variables which should not be output via {{ templates }}, so why not put them in a blacklist instead of introducing a breaking whitelist? – Agop – 2015-11-02T16:27:02.957

@AadMathijssen Who (and where) to contact to notify that some of modules were updated and are no compatible with SUPEE-6788? – zitix – 2015-11-16T20:01:21.983

@zitix https://github.com/peterjaap

– Aad Mathijssen – 2015-11-16T21:28:05.807

Answers

51

SUPEE-6788 released and admin routing changes turned off by default. This means that the patch include the fix, but that it will be disabled when installed. This will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.

For enable admin routing capability for extensions after install the path go to Admin -> Advanced -> Admin -> Security.

Magento CE 1.4-1.6 patches are delayed and should be available in about one week!

SUPEE-6788 Resources list

FireBear

Posted 2015-10-21T15:32:43.457

Reputation: 1 725

For any "won't fix" modules, can we document what in general needs to be changed so that these modules can be manually patched to work with 6788? For instance, "remove X from all addFieldToFilter calls." – Tyler V. – 2015-10-23T18:38:16.140

1The patch has been released. Please update your answer. – 7ochem – 2015-10-28T09:40:33.530

@7ochem done , thanks for reminder! – FireBear – 2015-10-28T09:57:04.050

@FireBear I have already applied Magento patches in past many times. But I have a doubt about SUPEE-6788. Do I need to apply it like other patches and later I can enable admin routing capability in Magento admin panel or while installation time only I have to take care. Please suggest. – Muk – 2015-10-28T13:11:08.670

2@Muk yes you can install it as other patches, but need to beware about broken extensions, if you use some extensions form the list - you need to fix them manually or wait for update from developers, until that you can enable - Admin routing capability for extensions – FireBear – 2015-10-28T13:13:28.910

@FireBear Could you provide your feedback on https://community.magento.com/t5/Version-Upgrades/quot-Before-quot-and-quot-After-quot-in-admin-router-SUPEE-6788/m-p/20201#M1363 (Before and After in custom module)

– Muk – 2015-10-29T09:44:46.473

@Muk i think this question answered and explained on patch notes with details - because of security :) – FireBear – 2015-10-29T12:56:23.723

21

Along the lines of other comments about detecting conflicts, we at ParadoxLabs have created a script to track down everything affected by APPSEC-1034 (admin controllers) and APPSEC-1057 (whitelist). It will also attempt to fix any bad controllers, since that's a fairly precise and invasive change to make.

It doesn't cover APPSEC-1063 (SQL injection) or APPSEC-1079 (custom options), but it would be great if it could. Not sure how to detect those with any sort of precision. We're open to contributions.

https://github.com/rhoerr/supee-6788-toolbox

Ryan Hoerr

Posted 2015-10-21T15:32:43.457

Reputation: 6 953

3this looks really useful, good work! – paj – 2015-10-23T15:07:30.800

fixWhitelists adds blocks to whitelists but doesn't seem to do the same for variables - please could you confirm? – zigojacko – 2015-11-06T12:08:07.697

1@zigojacko It covers both. – Ryan Hoerr – 2015-11-06T13:51:54.240

Yep, figured this out by giving it a go. Excellent work, super job by ParadoxLabs :) – zigojacko – 2015-11-09T10:52:01.290

Respect to ParadoxLabs. That tool is saving a big amount of work. – DarkCowboy – 2015-11-09T13:28:24.913

superb,,,+1 from me....saves a lot of time.....:-) – Keyur Shah – 2015-11-14T04:49:42.660

5

This php script might be useful in identifying Magento code affected by the proposed SUPEE-6788 patch.

This is in no way a foolproof security check for this patch, but might be useful to quickly scan your installation for the modules and code affected.

Install the script with

wget https://raw.githubusercontent.com/gaiterjones/magento-appsec-file-check/master/magento_appsec_file_check.php

edit the path to your Magento installation

$_magentoPath='/home/www/magento/';

run

php magento_appsec_file_check.php

Affected files will be displayed:

*** Magento security file check ***
[1] APPSEC-1034, addressing bypassing custom admin URL
2 effected files :
<use>admin</use> found in  app/code/community/Itabs/Debit/etc/config.xml
<use>admin</use> found in  app/code/core/Mage/Adminhtml/etc/config.xml


[2] APPSEC-1063, addressing possible SQL injection
2 effected files :
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/Model/Export/Abstract.php
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/controllers/Adminhtml/OrderController.php
collection->addFieldToFilter(' not found.
collection->addFieldToFilter('\` not found.
collection->addFieldToFilter('\` not found.


[3] APPSEC-1057, template processing method allows access to private information
{{config path= not found.
{{block type= not found.


***********************************

The script use grep to search Magento files for occurrences of the code that may possibly break backward compatibility with customizations or extensions when SUPEE-6788 is applied.

paj

Posted 2015-10-21T15:32:43.457

Reputation: 2 462

3

There is already a big list available with all the extensions that will break with SUPEE-6788

More info here: https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/edit#gid=0

Gary Olderman

Posted 2015-10-21T15:32:43.457

Reputation: 112

I am really curious to know how this list was collected. – mam08ixo – 2015-10-21T19:53:22.630

3

It was crowdsourced; original source is: https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/edit#gid=0

– Herman Slatman – 2015-10-21T20:48:38.323

Please remove the list from the above page and link to the source instead, which is kept up-to-date: https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/edit#gid=0

– Aad Mathijssen – 2015-10-22T08:29:52.500

1Is there any contact to let know about updated versions? I see there at least 2-3 modules that were already updated. – versedi – 2015-11-03T08:33:44.857

-1

The list of allowed variables, that can be processed via content filter, is bigger than was shown in the PDF:

+ trans_email/ident_support/name
+ trans_email/ident_support/email
web/unsecure/base_url
web/secure/base_url
trans_email/ident_general/name
+ trans_email/ident_general/email
trans_email/ident_sales/name
trans_email/ident_sales/email
trans_email/ident_custom1/name
trans_email/ident_custom1/email
trans_email/ident_custom2/name
trans_email/ident_custom2/email
general/store_information/name
general/store_information/phone
general/store_information/address

(I have added an + before the variables that were not described in the PDF)

The allowed blocks that can be processed via content filter are:

core/template
catalog/product_new

Daniel van der Garde

Posted 2015-10-21T15:32:43.457

Reputation: 161