Magento Patch Bundle SUPEE 8788 - Why need to Install?

With the increasing technology, chances for the information getting hacked or leaked is also increasing simultaneously. These security issues also occur with Magento platform too. These issues cause loss of information, spamming, loss of credentials etc. To resolve such issues faced by Magento platform and maintain its performance, several upgrades are released Magento team. This provides a tool to keep your store safe and secure.

The upgrades which are released to solve the security issues are called as the Security patches. Whenever a security patch becomes available, a notification is sent to all the merchants in their admin inbox. You can know about the security vulnerabilities by scanning your Magento shop.

Now let us talk about the Security patch SUPEE-8788. The Magento team has recently released the security patch SUPEE-8788 to address the Zend Framework and Payment vulnerabilities. It includes 17 APPSEC updates to provide protection against security threats like

• Remote Code Execution in checkout
• SQL Injection/Improper validation
• Cross-site Scripting in invitations
• Information leakage
• Insufficient data protection
• Remote Code Execution in admin
• Full page cache Poisoning
• Cross-site Scripting in URL processing
• Cross-site Scripting in Categories Management
• Denial of Services
• Cross-site scripting in Flash file uploader
• Filter avoidance
• Cross-site Request Forgery in several forms
• CSRF on removing item from Wishlist or Address Book
• Insufficient Session Expiration
• Lack of certificate validation and Timing attack.

This security patch makes sure that once the user is logged out from his account, it makes sure that the sessions have been invalidated. Along with this, all the above-stated security issues has been addressed with the solutions which are long lasting.

To make you understand each of the 17 APPSEC updates, we have included all the relevant information in a table format. Let us go through it together:

No.	APPSEC Updates	Security Issue	Severity Level	Description
1	APPSEC-1484	Remote Code Execution in checkout	9.8 (Critical)	With some payment methods it could execute malicious PHP coding during checkout process.
2	APPSEC-1480	SQL injection in Zend Framework	9.1 (Critical)	In this bug, a malicious user can inject SQL in the Zend Framework into the ordering or grouping parameters.
3	APPSEC-1488	Stored XSS in invitations	8.2 (High)	A malicious JavaScript can be added in regards to admin by using the invitation feature of Magento Enterprise Edition.
4	APPSEC-1247	Block cache exploit	7.7 (High)	An attacker can get access to any CMS functionality with administrator permissions can ex-filtrate the information stored in cache by using blocks. It can also execute the codes.
5	APPSEC-1517	Log in as another customer	7.5 (High)	A malicious user can log in to the account using the email address and not password of an existing store customer.
6	APPSEC-1375c	Remote Code Execution in admin	6.5 (Medium)	The import/export functionality without any proper checking supplies the un-serialize data from the Magento Admin dashboard.
7	APPSEC-1338	Full Page Cache poisoning	6.5 (Medium)	The full page cache feature can be manipulated to store incorrect pages under regular page URL entries. (Magento Enterprise Edition)
8	APPSEC-1436	XSS vulnerability in URL processing	6.1 (Medium)	The Magento functions which are related to URL processing uses user-supplied data from request headers, incorrectly.
9	APPSEC-1211	XSS in categories management	6.1 (Medium)	To access the catalog, a category can be created with malicious JavaScript coding. And this can be used in other Admin panel parts.
10	APPSEC-1058	GIF flooding	5.3 (Medium)	A denial of service attack occurs when a malicious user uploads any modified image which ultimately causes a script timeout.
11	APPSEC-666	Cross-site scripting in Flash file uploader	5.3 (Medium)	On the sites which use the file custom option, the reflected cross-site scripting is possible.
12	APPSEC-1282	Filter avoidance	4.9 (Medium)	To stop specially crafted exploit strings, the Implementation of filters for XSS in email templates and other Admin features will not enough.
13	APPSEC-327	CSRF in several forms	4.7 (Medium)	Due to improper form key validation in several forms, a CSRF attack is possible which allows a malicious user to create a phishing form which executes an action such as update cart or login that when clicked by a user. (older versions of Magento)
14	APPSEC-1189	CSRF on removing the item from Wishlist or Address Book	4.7 (Medium)	Create a phishing page that would remove any item from wishlist or customer’s address when a customer visits that page.
15	APPSEC-1478	Session does not expire on logout	4.2 (Medium)	There is no Session timeout after the user logouts from its account which could result into access to the customer’s account.
16	APPSEC-1106	Lack of certificate validation enables MitM attacks	3.7 (Low)	This could result in disclosure of customer’s information.
17	APPSEC-995	Timing attack on hash checking	3.7 (Low)	It can create a timing attack on the password checking functionality.

Some of the issues which are mentioned are very critical as per severity level but they have been fixed with the patches. Once you have installed the patches in your store, it may happen that the Magento platform takes some time to integrate with these issue fixes.

You can go through the guideline to know the installation of a patch for Magento Community Edition here. Read our blog post on Installing Magento Patches in Different Ways…

If you want to know more about the security patch SUPEE-8788, latest Magento updates or you need help installing this security patch into your Magento store, then contact and discuss your issue with our Magento® Security Experts and get a long lasting resolution for your store.