SUPEE-6788

By Brad Leslie, Certified Magento Developer at InteractOne

Magento released SUPEE-6788 on October 27, 2015, which fixes a number of security issues relating to customer registration, forgotten customer passwords, admin actions, SQL injections and more. The difficulty with this patch, in particular, is how invasive it can be when applied to a highly customized shop.

“Magento Enterprise Edition 1.14.2.2, Community Edition 1.9.2.2 and the patch bundleSUPEE-6788 address several security issues. Unfortunately, addressing these issues required some changes that may possibly break backward compatibility with customizations or extensions.” – Read More

Magento is modular, meaning that individual features are packaged together and can be added or removed without impacting the other features. 6788 fixes all of the core, read ‘out-of-the-box’, modules, but those same changes must also be made to the local and community, read ‘custom’, modules. There are various scripts on the web that will attempt to fix the custom modules automagically, but these will rarely work 100% due to inconsistencies in acceptable coding practices within Magento, namely the admin routers.

Standardizing these inconsistencies is typically the most time consuming aspect of applying 6788. Since magic scripts can’t fix every issue, the changes must be evaluated and, if necessary, corrected by hand. Correcting modules that the developer wrote himself would take a fair amount of time, but the number of third party modules installed that the developer is not completely familiar with is directly proportional to the amount of time required to fix those modules. Some modules are more complex than others, but they all must be evaluated and most will require updates for consistency.

Magento has also altered their support for backticks when working with collection filters. A find-and-replace can fix most of these fairly easily, but there are a number of extensions that use direct queries with backticks that need to be rewritten on a case-by-case basis.

In addition to fixing the custom modules, custom themes may require updates due to several template changes. The customer registration form now requires a ‘form_key’ field and the forgotten password layout XML has been updated to use a new block.

The front end has received some more attention with the addition of permissions for custom variable and CMS blocks. These are managed via the ‘variables’ and ‘blocks’ menu items within the admin panel at System > Permissions. Any custom variables or CMS blocks that will be used on the front end must be whitelisted via those pages.

It’s important to understand that running SUPEE-6788 alone is not enough for a shop to be protected from the vulnerabilities that it fixes. While magereport.com may say that the patch has been applied, if all of the modules have not been evaluated and updated, the shop is still at risk.

Some tell-tale signs of an issue with 6788:

  • Admin URLs / actions throw 404 errors
  • Missing content on the front end
  • API connection issues

Do you know if your site has the SUPEE Patch 6788 installed? Better yet, was it installed correctly? When it comes to Magento, Security patches should be taken seriously and installed by true Magento trained experts.

[gravityform id=”23″ title=”true” description=”true”]