Return to: E-Commerce News

Security Patch



A lot of online store owners and merchants are already lining up to install the security patch, and it is not at all shocking news as this update is highly important in Magento Development Services.
The security patch addresses the following Magento Development issues: Zend framework, vulnerabilities related to payment. Ensure sessions will be invalidated after logout by the user and
several other security enhancements are there.
Before you install the patch, check if the old patches were installed correctly. Some of the patches depend on the patches that are already installed. Magereport can be used to check the current patches in your site.
The security patch contains multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.
SUPEE-10415:
SUPEE-10415 addresses several issues collectively such as CSRF (Cross-Site Request Forgery), DoS (Denial of Service), RCE (Remote Code Execution), and fix for SOAP v1 interaction in WSDL.
Features:
• A site visitor can create an account where one of the parameters will create a server denial-of-service. An administrator with limited privileges can insert script in product and short descriptions; potentially resulting in a stored cross-site scripting that affects site users.
• An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.
• It addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL.
• An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged in to arbitrary remote code execution.
• An administrator with limited privileges can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack.
• An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack.
• An administrator with limited privileges can insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution.
SUPEE-10266:
SUPEE-10266 includes several security enhancements that help close cross-site request forgery (CSRF), unauthorized data leaks and admin user remote code execution vulnerabilities. It also provides solutions for issues with image reloading and payments by using a one-step checkout.
Features:
• A new Magento 1 security patch SUPEE-10266 was released on September 14th of 2017. It closes the ability of an admin user remote code execution, protects from data leaks and fixes some minor issues. Let’s check the main code changes that are included in the patch.
• SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6.
• However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.
• The SUPEE-10266 patch addresses over 40 security updates and enhancements that help prevent cross-site request forgery, unauthorized data leaks, and admin remote code execution vulnerabilities. But don’t take our word for it. Our developers know Magento’s 150,000 lines of code inside and out, have been tested directly by Magento and are certified to work on Magento.
• The Magento SUPEE-10266 security patch also updates the USPS API First-Class naming convention that causes first class shipping options to not appear at checkout.
It is highly recommended that all Magento merchants apply the SUPEE-10266 security update as soon as possible.
The security patch can be downloaded by the page of Magento security patch installat ...

News Release: Security Patch
Submitted on: December 04, 2017 06:06:16 AM
Submitted by: walkmi
On behalf of: global-ecommerce-services.com/
advertisement