Magento SUPEE-5994 Security Patch
A second security issue has been announced by Magento SUPEE-5994 (14th May 2015) as part of their ongoing commitment to excellence in platform security and performance. This patch needs to be applied to ALL versions of Magento Community. All of our clients will have received an email this morning with links to relevant literature including one with steps to install this patch. We recommend that you install this as soon as possible.
The patch addresses a number of areas on top of SUPEE-5344 (shoplift) and SUPEE-1533 as discussed in our last blog – goo.gl/YOcxHK and while no known attacks have come to light as yet the patch resolves issues in the following areas:
Admin Path Disclosure
Description: An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
Customer Address Leak through Checkout
Description: Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.
During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.
This attack can be fully automated, and a functional proof of concept exists.
Customer Information Leak through Recurring Profile
Description: This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers.
The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.
This attack can be fully automated, and a manual proof of concept exists.
Local File Path Disclosure Using Media Cache
Description: Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
Spreadsheet Formula Injection
Description: Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
Cross-site Scripting Using Authorize.Net Direct Post Module
Description: Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.
Malicious Package Can Overwrite System Files
Description: Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.
Warning – Please test all patches in a test environment before taking them live. If you are not familiar with the patch installation, you can get your developer do this for you. We take no responsibility if at all the patch breaks your website, so please please make sure you have backed up everything before applying any updates/patches.
** If at all you are on a plan that doesn’t come with SSH, you can open a support ticket, and we can enable SSH for your account for 48-72 hours free of charge.