SUPEE-7405

By Brad Leslie, Certified Magento Developer at InteractOne

SUPEE-7405 is the latest security patch released from Magento.

“During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.”

In a nutshell, SUPEE-7405’s most important fix is that it blocks hackers from breaking into your admin and taking over your store.  Clearly SUPEE-7405 is critical to have installed. Developers should estimate around 3-4 hours to install the patch locally, test and fix, push to dev, allow the client to test, and then deploy to production.

However, below is a list of changes that may arise after SUPEE-7405 is applied. These will need to be evaluated on a site-by-site basis, depending on the extensions you have installed.


Changes from patch:
  • Admin

    • Better validation in admin when logging in via URL

    • Protect against executable code within order comments and exported grid data

    • Improved case handling when validating admin actions

    • New validation for admin file uploads so executable files can’t be uploaded as images

      • Image validator

    • Improved forgot password validation

  • Frontend / Core

    • Protected un-sterilization of user data

    • Improved validation for new accounts

    • Cleaned up Authorize.net integrations related to order data at the time of order placement / success

    • Sanitize product option data so code can’t be executed

    • Improved exception handling in email queue process

    • Added the ability to renew a form key

    • Escape data that’s output on the frontend (products, reviews, etc)

    • Improved guest data handling

    • Added Zend XML security class

Possible issues after patch:
  • Extensions

    • Mass action / report extensions that override CSV exports

    • Product / slider / swatch extensions or anything else dealing with image uploads

    • Auth.Net

    • Payflow (PayPal)

    • Grid extensions

  • Misc

    • Themes should be sanitizing all object data output on the frontend (this is already a best practice)

We stress that Magento Security Patch SUPEE-7405 is VERY important. Without it, you’re exposed to vulnerabilities that exist throughout your Magento installation on both the front end and the admin. 

Contact us to get your site patched up ASAP.