Magento Patch Bundle SUPEE 8788 - Why need to Install?

Please fill this form, We'll reply within 24 Hrs.


Please leave this field empty.

SUPEE-8788 Patch

With the increasing technology, chances for the information getting hacked or leaked is also increasing simultaneously. These security issues also occur with Magento platform too. These issues cause loss of information, spamming, loss of credentials etc. To resolve such issues faced by Magento platform and maintain its performance, several upgrades are released Magento team. This provides a tool to keep your store safe and secure.

The upgrades which are released to solve the security issues are called as the Security patches. Whenever a security patch becomes available, a notification is sent to all the merchants in their admin inbox. You can know about the security vulnerabilities by scanning your Magento shop.

Now let us talk about the Security patch SUPEE-8788. The Magento team has recently released the security patch SUPEE-8788 to address the Zend Framework and Payment vulnerabilities. It includes 17 APPSEC updates to provide protection against security threats like

  • Remote Code Execution in checkout
  • SQL Injection/Improper validation
  • Cross-site Scripting in invitations
  • Information leakage
  • Insufficient data protection
  • Remote Code Execution in admin
  • Full page cache Poisoning
  • Cross-site Scripting in URL processing
  • Cross-site Scripting in Categories Management
  • Denial of Services
  • Cross-site scripting in Flash file uploader
  • Filter avoidance
  • Cross-site Request Forgery in several forms
  • CSRF on removing item from Wishlist or Address Book
  • Insufficient Session Expiration
  • Lack of certificate validation and Timing attack.

This security patch makes sure that once the user is logged out from his account, it makes sure that the sessions have been invalidated. Along with this, all the above-stated security issues has been addressed with the solutions which are long lasting.

To make you understand each of the 17 APPSEC updates, we have included all the relevant information in a table format. Let us go through it together:

No. APPSEC Updates Security Issue Severity Level Description
1 APPSEC-1484 Remote Code Execution in checkout 9.8 (Critical) With some payment methods it could execute malicious PHP coding during checkout process.
2 APPSEC-1480 SQL injection in Zend Framework 9.1 (Critical) In this bug, a malicious user can inject SQL in the Zend Framework into the ordering or grouping parameters.
3 APPSEC-1488 Stored XSS in invitations 8.2 (High) A malicious JavaScript can be added in regards to admin by using the invitation feature of Magento Enterprise Edition.
4 APPSEC-1247 Block cache exploit 7.7 (High) An attacker can get access to any CMS functionality with administrator permissions can ex-filtrate the information stored in cache by using blocks. It can also execute the codes.
5 APPSEC-1517 Log in as another customer 7.5 (High) A malicious user can log in to the account using the email address and not password of an existing store customer.
6 APPSEC-1375c Remote Code Execution in admin 6.5 (Medium) The import/export functionality without any proper checking supplies the un-serialize data from the Magento Admin dashboard.
7 APPSEC-1338 Full Page Cache poisoning 6.5 (Medium) The full page cache feature can be manipulated to store incorrect pages under regular page URL entries. (Magento Enterprise Edition)
8 APPSEC-1436 XSS vulnerability in URL processing 6.1 (Medium)

 

The Magento functions which are related to URL processing uses user-supplied data from request headers, incorrectly.
9 APPSEC-1211 XSS in categories management 6.1 (Medium) To access the catalog, a category can be created with malicious JavaScript coding. And this can be used in other Admin panel parts.
10 APPSEC-1058 GIF flooding 5.3 (Medium) A denial of service attack occurs when a malicious user uploads any modified image which ultimately causes a script timeout.
11 APPSEC-666 Cross-site scripting in Flash file uploader 5.3 (Medium) On the sites which use the file custom option, the reflected cross-site scripting is possible.
12 APPSEC-1282 Filter avoidance 4.9 (Medium) To stop specially crafted exploit strings, the Implementation of filters for XSS in email templates and other Admin features will not enough.
13 APPSEC-327 CSRF in several forms 4.7 (Medium)

 

Due to improper form key validation in several forms, a CSRF attack is possible which allows a malicious user to create a phishing form which executes an action such as update cart or login that when clicked by a user. (older versions of Magento)
14 APPSEC-1189 CSRF on removing the item from Wishlist or Address Book 4.7 (Medium) Create a phishing page that would remove any item from wishlist or customer’s address when a customer visits that page.
15 APPSEC-1478 Session does not expire on logout 4.2 (Medium) There is no Session timeout after the user logouts from its account which could result into access to the customer’s account.
16 APPSEC-1106 Lack of certificate validation enables MitM attacks 3.7 (Low) This could result in disclosure of customer’s information.
17 APPSEC-995 Timing attack on hash checking 3.7 (Low) It can create a timing attack on the password checking functionality.

Some of the issues which are mentioned are very critical as per severity level but they have been fixed with the patches. Once you have installed the patches in your store, it may happen that the Magento platform takes some time to integrate with these issue fixes.

You can go through the guideline to know the installation of a patch for Magento Community Edition here. Read our blog post on Installing Magento Patches in Different Ways

If you want to know more about the security patch SUPEE-8788, latest Magento updates or you need help installing this security patch into your Magento store, then contact and discuss your issue with our Magento® Security Experts and get a long lasting resolution for your store.

1. Magento Retaliates the Uncanny Hacks-men with a Befitting Shopper-popper Patch
PCI Complience in Magento

2 comments

  1. Thank you for sharing such an important update. I can see that this security patch can help us resolve many different security issues.

  2. I can see that this SUPEE 8788 provides the solution for multiple security bugs and issues. I would like to see the information about other important Magento Security patch. Thanks for sharing this one!

Leave a Reply

Your email address will not be published. Required fields are marked *

Please fill this form, We'll reply within 24 Hrs.


Please leave this field empty.

Please fill this form, Mr.Yogesh will reply by email asap.


Please leave this field empty.

Please fill this form, Mr.Darshit will reply by email asap.


Please leave this field empty.

Please fill this form, Mr.Jayesh will reply by email asap.


Please leave this field empty.

Please fill this form, Mr.Jiten will reply by email asap.


Free eGuide

Ultimate Guide on Magento 2 Shipping Methods

Shipping Methods also play a very vital role in an eCommerce store, to make it a success.
DOWNLOAD NOW