How to check which modules are affected by security patch SUPEE-6788

SUPEE-6788 released and admin routing changes turned off by default. This means that the patch include the fix, but that it will be disabled when installed. This will give you some additional time to make updates to your code and will give merchants flexibility to turn on this part of the patch once their extensions and customizations have been updated to work with it.

For enable admin routing capability for extensions after install the path go to Admin -> Advanced -> Admin -> Security.

Magento CE 1.4-1.6 patches are delayed and should be available in about one week!

SUPEE-6788 Resources list

  • Official details & download SUPEE-6788 - http://magento.com/security/patches/supee-6788 & https://www.magentocommerce.com/download

  • How to apply SUPEE-6788 discussion with useful tips - https://magento.meta.stackexchange.com/a/734/2282

  • Install SUPEE-6788 without SSH - https://magentary.com/kb/install-supee-6788-without-ssh/

  • SUPEE-6788 for CE 1.7.0.1 - 1.9.2.1 on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/CE

  • SUPEE-6788 for EE 1.12.x - 1.14.x on GitHub - https://github.com/brentwpeterson/magento-patches/tree/master/current-patches/EE

  • SUPEE-6788 and Backward Compatibility - https://info2.magento.com/rs/318-XBX-392/images/SUPEE-6788-Technical%20Details.pdf

  • Community driven up to date list of Extensions that will break with SUPEE-6788 / Magento 1.9.2.2 / EE 1.14.2.2 - https://docs.google.com/spreadsheets/d/1LHJL6D6xm3vD349DJsDF88FBI_6PZvx_u3FioC_1-rg/htmlview?sle=true#gid=0

  • Helpful Magerun commands https://github.com/peterjaap/magerun-addons

    • n98-magerun dev:template-var - Find non-whitelisted vars/blocks to be compatible with SUPEE-6788 and Magento 1.9.2.2
    • n98-magerun.phar dev:old-admin-routing - Find extensions that use old-style admin routing (which is not compatible with SUPEE-6788 and Magento 1.9.2.2)

  • Check if store patched / affected - https://www.magereport.com/

  • Some of custom blocks on the front page have disappeared after patch install - APPSEC-1057 How to add variables or blocks to the white list tables & https://www.pinpointdesigns.co.uk/blog/magento-ce-patch-supee-6788-custom-blocks-issue/

  • Magento SUPEE-6788 Developer Toolbox - find and automatically resolve major problems from the patch https://github.com/rhoerr/supee-6788-toolbox

  • MageDownload CLI - A PHP tool to automate Magento release and patch downloads - https://github.com/steverobbins/magedownload-cli

  • How to whitelist template variables and blocks for SUPEE-6788 - https://gist.github.com/avoelkl/f99e95c8caad700aee9

  • Check Magento files for known appsec affected code - https://github.com/Schrank/magento-appsec-file-check

  • Common issues with SUPEE 6788 Magento patch installation - http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/

  • Performance improvement for Magento Patch SUPEE-6788 - https://github.com/EcomDev/SUPEE6788-PerformanceFix , https://gist.github.com/DimaSoroka/a3e567ddc39bd6a39c4e , Details - http://www.magecore.com/blog/news/performance-issues-magento-security-patch-supee-6788


Along the lines of other comments about detecting conflicts, we at ParadoxLabs have created a script to track down everything affected by APPSEC-1034 (admin controllers) and APPSEC-1057 (whitelist). It will also attempt to fix any bad controllers, since that's a fairly precise and invasive change to make.

It doesn't cover APPSEC-1063 (SQL injection) or APPSEC-1079 (custom options), but it would be great if it could. Not sure how to detect those with any sort of precision. We're open to contributions.

https://github.com/rhoerr/supee-6788-toolbox


This php script might be useful in identifying Magento code affected by the proposed SUPEE-6788 patch.

This is in no way a foolproof security check for this patch, but might be useful to quickly scan your installation for the modules and code affected.

Install the script with 

wget https://raw.githubusercontent.com/gaiterjones/magento-appsec-file-check/master/magento_appsec_file_check.php

edit the path to your Magento installation

$_magentoPath='/home/www/magento/';

run 

php magento_appsec_file_check.php

Affected files will be displayed:

*** Magento security file check ***
[1] APPSEC-1034, addressing bypassing custom admin URL
2 effected files :
<use>admin</use> found in  app/code/community/Itabs/Debit/etc/config.xml
<use>admin</use> found in  app/code/core/Mage/Adminhtml/etc/config.xml


[2] APPSEC-1063, addressing possible SQL injection
2 effected files :
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/Model/Export/Abstract.php
collection->addFieldToFilter(' found in  app/code/community/Itabs/Debit/controllers/Adminhtml/OrderController.php
collection->addFieldToFilter(' not found.
collection->addFieldToFilter('\` not found.
collection->addFieldToFilter('\` not found.


[3] APPSEC-1057, template processing method allows access to private information
{{config path= not found.
{{block type= not found.


***********************************

The script use grep to search Magento files for occurrences of the code that may possibly break backward compatibility with customizations or extensions when SUPEE-6788 is applied.

Tags:

Security

Routing

Extensions

Patches

Supee 6788

Recent Posts