A new Magento 1 security patch SUPEE-10266 was released on September 14th of 2017. It closes the ability of an admin user remote code execution, protects from data leaks and fixes some minor issues. Let’s check the main code changes that are included in the patch.

1. Admin indirect logging in.

Minor adjustment to the Mage_Admin_Model_Session logs admin user out if the user session data was extracted from the admin RSS. Basically the Mage_Rss_Helper_Data::authAdmin will add an additional flag “indirect_login” to the admin session data. This way, the Mage_Admin_Model_Session will check for that flag during the constructor call with Mage_Admin_Model_Session::logoutIndirect method.

2. Injection escape.

A few places with dynamic content were updated with the escapeHtml method call. Those places are:

  • Admin notifications grid;
  • Admin notifications in the head of the page;
  • Customer group name on the admin customer edit page “Customer View” tab;
  • Customer group name on the order view page.

So, we have two exploits uncovered here: customer group name and admin notification message.

Also, there is a quote escape in the order history template.

3. Forced form keys.

Mage_Adminhtml_Controller_Action::preDispatch method now calls the _checkIsForcedFormKeyAction method. This way, you can set actions that require form key checking on the preDispatch method of your Adminhtml controller. The example can be found in the Mage_Adminhtml_CustomerController:

    public function preDispatch()
    {
        $this->_setForcedFormKeyActions('delete');
        return parent::preDispatch();
    }

Also, every delete url is now updated with a form key in the Mage_Adminhtml_Block_Widget_Form_Container::getFormActionUrl method – so you should check for the overrides of this method in your custom or third party extensions.

4. Newsletter templates cross site scripting.

Mage_Adminhtml_Newsletter_QueueController::dropAction and Mage_Adminhtml_Newsletter_TemplateController::dropAction methods where updated, so they won’t get the newsletter template text via GET request.

The Mage_Core_Model_Email_Template_Abstract::_getCssFileContent makes sure that your email template css file is located in the skin directory.

The purpose of these updates is to protect from inserting cross site scripts by admin users – mostly, the users with a limited access to Magento resources.

5. Layout update validator

The Mage_Adminhtml_Model_LayoutUpdate_Validator::isValid method was updated to validate the templates paths for the directory traversal.

6. Image processing.

The image processing that was added in SUPEE-9767 patch is now optional. You may disable it by setting the config general/reprocess_images/active to 0 programmatically, but not via the Admin panel. Although, once you change it the image exploit will appear again.

7. Reordering exploit.

The Mage_Checkout_CartController::addgroupAction was updated with checking current customer ID and filtering the order items. This way, a customer order cannot be reordered by another customer.

8. Login autocomplete.

The admin, downloader and installation login templates were changed, so the browser autocomplete in Firefox will work properly. Basically, a hidden dummy field with type “password” was added to those templates.

Keep your Magento up-to-date and secure, and thanks for reading!