Applying Magento security patches – SUPEE-6285
This bundle includes protection against the following security-related issues:
1. Customer Information Leak via RSS and Privilege Escalation
2. Request Forgery in Magento Connect Leads to Code Execution
3. Cross-site Scripting in Wishlist
4. Cross-site Scripting in Cart
5. Store Path Disclosure
6. Permissions on Log Files too Broad
7. Cross-site Scripting in Admin
8. Cross-site Scripting in Orders RSS
Theme patches
Some theme files have been patched with added escaping to prevent possible XSS attacks:
checkout/cart.phtml
checkout/cart/noItems.phtml
checkout/onepage/failure.phtml
rss/order/details.phtml
wishlist/email/rss.phtml
If your theme(s) contain any of these templates, or if you made modifications directly in base/default (good luck, you are screwed), then you need to patch them manually:
1. in the checkout templates, replace all occurences of
[php]$this->getContinueShoppingUrl()[/php]
with
[php]Mage::helper(‘core’)->quoteEscape($this->getContinueShoppingUrl())[/php]
2. in wishlist/email/rss.phtml, replace
[php]$this->helper(‘wishlist’)->getCustomerName()[/php]
with
[php]Mage::helper(‘core’)->escapeHtml($this->helper(‘wishlist’)->getCustomerName())[/php]
3. In rss/order/details.phtml, replace
[php]echo $this->__(‘Customer Name: %s’, $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName())
echo $this->__(‘Purchased From: %s’, $_order->getStore()->getGroup()->getName()) [/php]
with
[php]$customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName();
echo $this->__(‘Customer Name: %s’, Mage::helper(‘core’)->escapeHtml($customerName));
echo $this->__(‘Purchased From: %s’, Mage::helper(‘core’)->escapeHtml($_order->getStore()->getGroup()->getName()));[/php]
Permissions
.htaccess files have been added to downloader/Maged and downloader/lib to disallow direct access to source files.
[php]location /downloader/Maged/ { deny all; }
location /downloader/lib/ { deny all; }[/php]
But I recommend to exclude downloader from deployments to a live system system anyway, in this case you don’t need to take action.
Admin Privileges (ACL)
If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed() has been changed from true to Mage::getSingleton(‘admin/session’)->isAllowed(‘admin’). Extensions that do not override this method in their admin controllers because they don’t use the ACL, now need the “ALL” privilege.
The only solution is to patch the extensions and add this method to all their admin controllers:
[php]protected function _isAllowed()
{
return true;
}[/php]
Or if they actually have an ACL resource defined in etc/adminhtml.xml:
[php]protected function _isAllowed()
{
return Mage::getSingleton(‘admin/session’)->isAllowed(‘ENTER RESOURCE IDENTIFIER HERE’);
}[/php]