MAGENTO SECURITY PATCH SUPEE-7405 RELEASED

The updates add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release. They DO NOT address any new security issues.

Magento highly recommends that all users either install the SUPEE-7405 v1.1 patch bundle, or upgrade to Magento Enterprise Edition 1.14.2.4 or Magento Community Edition 1.9.2.4.

You must install the SUPEE-7405 v 1.0 patch before installing the SUPEE-7405 v 1.1 patch bundle if you are running a version of Magento Enterprise Edition prior to 1.14.2.3 or Magento Community Edition prior to 1.9.2.3.

You do not need to install the SUPEE-7405 v 1.0 patch if you are running Magento Enterprise Edition 1.14.2.3, Magento Community Edition 1.9.2.3, or have previously installed the SUPEE-7405 v 1.0 patch on an earlier version of Magento Community Edition.

The SUPEE-7405 v 1.1 patch bundle includes the following:

Cart Merge Patch (SUPEE-7978)

Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.

SOAP API Patch (SUPEE-7822)

The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.

PHP 5.3 Compatibility (SUPEE-7882)

The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.

Upload File Permissions

The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Cross-site Scripting (XSS) - Stored

 

CVSSv3 Severity	Security Bug	Description
9.3 (Critical)	Stored XSS via email address	During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.
9.3 (Critical)	Stored XSS in Order Comments	A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.
7.5 (High)	Stored XSS in Order	In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting.

Issue Type: Information Leakage

 

CVSSv3 Severity	Security Bug	Description
7.5 (High)	Guest order view protection code vulnerable to brute-force attack	The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.
7.5 (High)	Information Disclosure in RSS feed	You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.

Issue Type: Cross-site Request Forgery (CSRF)

 

CVSSv3 Severity	Security Bug	Description
7.4 (High)	CSRF token not validated on backend login page	The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding.
7.5 (High)	Information Disclosure in RSS feed	You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.

Source: Magento

It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-7405 patch, please contact our support team.