Magento security patch SUPEE-6482, What is patched?
The actual security patch (SUPEE-6482) only affects the two following files and is an API patch.
app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
app/code/core/Mage/Catalog/Model/Product/Api/V2.php
The full 1.9.2.1 install is a different matter altogether. I would diff source code between 1.9.2.0 and 1.9.2.1 to figure out the other two items that were patched.
Release notes are for the full installer, you have to check the patch to see if it actually includes all the items noted in the release notes.
Implications of running an unpatched server:
- Cross-site Scripting Using Unvalidated Headers => Cache Poisoning
- Autoloaded File Inclusion in Magento SOAP API => Remote code autoload
- XSS in Gift Registry Search => Cookie theft and user impersonation
- SSRF Vulnerability in WSDL File => Internal server info leak and remote file inclusion
NOTE: Files patched in the full install archive that are not patched with the patch, hmm?
diff -r magento-1920/app/code/core/Mage/Core/Controller/Request/Http.php magento-1921/app/code/core/Mage/Core/Controller/Request/Http.php
300a301
> $host = $_SERVER['HTTP_HOST'];
302,303c303,304
< $host = explode(':', $_SERVER['HTTP_HOST']);
< return $host[0];
---
> $hostParts = explode(':', $_SERVER['HTTP_HOST']);
> $host = $hostParts[0];
305c306,313
< return $_SERVER['HTTP_HOST'];
---
>
> if (strpos($host, ',') !== false || strpos($host, ';') !== false) {
> $response = new Zend_Controller_Response_Http();
> $response->setHttpResponseCode(400)->sendHeaders();
> exit();
> }
>
> return $host;
diff -r magento-1920/app/design/frontend/base/default/template/page/js/cookie.phtml magento-1921/app/design/frontend/base/default/template/page/js/cookie.phtml
37,38c37,38
< Mage.Cookies.path = '<?php echo $this->getPath()?>';
< Mage.Cookies.domain = '<?php echo $this->getDomain()?>';
---
> Mage.Cookies.path = '<?php echo Mage::helper('core')->jsQuoteEscape($this->getPath()) ?>';
> Mage.Cookies.domain = '<?php echo Mage::helper('core')->jsQuoteEscape($this->getDomain()) ?>';
I hade a look at the changes in detail and which side effects are to expect.
In the version for EE 1.13.1.0 the following files changed:
2015-08-05 07:14:25 UTC | SUPEE-6482_EE_1.13.1.0 | EE_1.13.1.0 | v2 | 7e38036f94f250514fcc11d066a43c9bdb6a3723 | Tue Jul 28 14:29:35 2015 +0300 | v1.13.1.0..HEAD
patching file app/code/core/Enterprise/PageCache/Model/Processor.php
patching file app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
patching file app/code/core/Mage/Catalog/Model/Product/Api/V2.php
patching file app/code/core/Mage/Core/Controller/Request/Http.php
Hunk #1 succeeded at 294 (offset 7 lines).
patching file app/design/frontend/base/default/template/page/js/cookie.phtml
patching file app/design/frontend/enterprise/default/template/giftregistry/search/form.phtml
- In
Adapter/Soap.php
, urlencoding is added to authentication data. This should have no negative side effect. It ensure, that the resultingwsdlUrl
is valid. Without this change, one could influence the URL Product/Api/V2.php
: Here are some checks if passed data is an object. This should not happen under normal circumstances.- in
Request/Http.php
andPageCache/Model/Processor.php
a check is added when getting the HTTP HOST. This seems to cover the header injections mentioned. The check only applies if there is a;
or,
in the HTTP host, so this should be uncritical in real life systems / have no negative side effect. - in the
cookie.phtml
escaping is added. So this has to be forward ported to your theme if you overwrite that file - similar for
giftregistry/search/form.phtml
To sum it up, I would say that applying the patch should not have any negative side effects. Remember to forward port the changes to your .phtml
files.
Weird thing is that EE patch contains modifications on following files:
app/code/core/Mage/Core/Controller/Request/Http.php
app/design/frontend/base/default/template/page/js/cookie.phtml
When the CE one doesn't, for an equivalent version.
I presume there is something missing on that SUPEE-6482
CE version, and a V2 could be released soon.