With the increasing technology, chances for the information getting hacked or leaked is also increasing simultaneously. These security issues also occur with Magento platform too. These issues cause loss of informations, spamming, loss of credentials etc. To resolve such issues faced by Magento platform and maintain its performance, several upgrades are released Magento team. This provides a tool to keep your store safe and secure.
The upgrades which are released to solve the security issues are called as the Security patches. Whenever, a security patch becomes available, a notification is sent to all the merchants in their admin inbox. You can know about the security vulnerabilities by scanning your Magento shop.
Now let us talk about the Security patch SUPEE-8788. The Magento team has recently released the security patch SUPEE-8788 to address the Zend Framework and Payment vulnerabilities. It includes 17 APPSEC updates to provide protection against security threats like
- Remote Code Execution in checkout
- SQL Injection/Improper validation
- Cross-site Scripting in invitations
- Information leakage
- Insufficient data protection
- Remote Code Execution in admin
- Full page cache Poisoning
- Cross-site Scripting in URL processing
- Cross-site Scripting in Categories Management
- Denial of Services
- Cross-site scripting in Flash file uploader
- Filter avoidance
- Cross-site Request Forgery in several forms
- CSRF on removing item from Wishlist or Address Book
- Insufficient Session Expiration
- Lack of certificate validation and Timing attack.
This security patch makes sure that once the user is logged out from his account, it makes sure that the sessions has been invalidated. Along with this, all the above stated security issues has been addressed with the solutions which are long lasting.
To make you understand each of the 17 APPSEC updates, we have included all the relevant information in a table format. Let us go through it together:
|No.||APPSEC Updates||Security Issue||Severity Level||Description|
|1||APPSEC-1484||Remote Code Execution in checkout||9.8 (Critical)||With some payment methods it could execute malicious PHP coding during checkout process.|
|2||APPSEC-1480||SQL injection in Zend Framework||9.1 (Critical)||In this bug, a malicious user can inject SQL in the Zend Framework into the ordering or grouping parameters.|
|4||APPSEC-1247||Block cache exploit||7.7 (High)||An attacker can get access to any CMS functionality with administrator permissions can ex-filtrate the information stored in cache by using blocks. It can also execute the codes.|
|5||APPSEC-1517||Log in as another customer||7.5 (High)||A malicious user can log in to the account using the email address and not password of an existing store customer.|
|6||APPSEC-1375c||Remote Code Execution in admin||6.5 (Medium)||The import/export functionality without any proper checking supplies the un-serialize data from the Magento Admin dashboard.|
|7||APPSEC-1338||Full Page Cache poisoning||6.5 (Medium)||The full page cache feature can be manipulated to store incorrect pages under regular page URL entries. (Magento Enterprise Edition)|
|8||APPSEC-1436||XSS vulnerability in URL processing||6.1 (Medium)
|The Magento functions which are related to URL processing uses user-supplied data from request headers, incorrectly.|
|10||APPSEC-1058||GIF flooding||5.3 (Medium)||A denial of service attack occurs when a malicious user uploads any modified image which ultimately causes a script timeout.|
|11||APPSEC-666||Cross-site scripting in Flash file uploader||5.3 (Medium)||On the sites which use the file custom option, the reflected cross-site scripting is possible.|
|12||APPSEC-1282||Filter avoidance||4.9 (Medium)||To stop specially crafted exploit strings, the Implementation of filters for XSS in email templates and other Admin features will not enough.|
|13||APPSEC-327||CSRF in several forms||4.7 (Medium)
|Due to improper form key validation in several forms a CSRF attack is possible which allows a malicious user to create a phishing form which executes an action such as update cart or login that, when clicked by a user. (older versions of Magento)|
|14||APPSEC-1189||CSRF on removing item from Wishlist or Address Book||4.7 (Medium)||Create a phishing page that would remove any item from wishlist or customer’s address when a customer visits that page.|
|15||APPSEC-1478||Session does not expire on logout||4.2 (Medium)||There is no Session timeout after the user logouts from its account which could result into access to the customer’s account.|
|16||APPSEC-1106||Lack of certificate validation enables MitM attacks||3.7 (Low)||This could result into disclosure of customer’s information.|
|17||APPSEC-995||Timing attack on hash checking||3.7 (Low)||It can create a timing attack on the password checking functionality.|
Some of the issues which are mentioned are very critical as per severity level but they have been fixed with the patches. Once you have installed the patches in your store, it may happen that the Magento platform takes some time to integrate with these issue fixes.
If you want to know more about the security patch SUPEE-8788, latest Magento updates or you need help installing this security patch into your Magento store, then contact and discuss your issue with our Magento® Security Experts and get a long lasting resolution for your store.