A new Magento security patch SUPEE-10570 for Magento 1 was released on Feb 27th 2018. It is affecting ~60 files of Magento Open Source (Community Edition) and ~90 of Magento Commerce (Enterprise edition). Let’s review what actual changes and improvements are behind those files.
1. Store name vulnerability
Most of the changes are related to the ability to inject some malicious code into a Store, a Website or a Store group name. These names are used on the numerous admin pages, as most of the entities are somehow bound to the Store or Website. So all of the admin grid columns and store selectors on the admin forms were supplied with HTML escaping. The list of changes is pretty big and consists of:
- Any admin grid store column renderer;
- Any admin form store selection field;
- Product grid;
- Order grid;
- Order info page;
- Store edit form;
- Assigned tags products grid;
- Magento Connect store switcher;
- Product attribute options;
- Attribute set;
- Customer “created at” store name;
- Customer sales statistics;
- Dashboard store switcher;
- Newsletter template preview;
- Reports store switcher;
- Tax rate;
- Staging websites and backups grid (Magento Commerce only);
- CMS pages preview (Magento Commerce only);
- Customer website switcher (Magento Commerce only);
- Customer invitation general info tab (Magento Commerce only);
- Staging log (Magento Commerce only).
If your store has custom grids or forms where the store, website or stores group are rendered, it makes sense to make corresponding changes or make sure that those pages are using Magento native renderers. Proper updates should be released for third party extensions.
2. Other admin labels escaping
Some other info in the admin panel escaped as well as the store and website names. These vulnerabilities were covered the same way as in the SUPEE-10415 and SUPEE-10266 security patches. Let’s name these fixes:
- All admin forms tab labels escaping;
- Newsletter template grid: sender name and email escaping;
- Product SKU: tags are not allowed in the product SKU during product save or import. Existing SKUs are escaped;
- Config model: the leading slash symbol is escaped from the config path;
- System > Custom variables: label escaping;
- Widget parameters: HTML tags are stripped during the widget save;
- Visual merchandiser category name escaping;
- Admin forms legend escaping;
- Email “From” header spaces are removed;
- CMS pages hierarchy section: labels escaping (Magento Commerce only);
- Customer edit form: custom entity attribute labels are escaped (Magento Commerce only).
3. Logger changes.
Mage::log method of Mage.php is updated with a screening of PHP opening tag with slashes. This change will restrict the executable scripts addition to the log files.
4. Disallowed blocks
A new feature was added to Magento admin in the SUPEE-6788 patch: the limitation of the block types that can be added to the CMS pages, CMS blocks, product descriptions and so on. Those block types were manipulated from the admin permissions section. The SUPEE-10570 patch adds hardcoded prohibited block types, which are stored as a protected property of Mage_Admin_Model_Resource_Block class. Currently, there is only one prohibited block type: “install/end”.
5. Session updates
New features are introduced with the patch. Customer password creation time is now stored in the database. The core session model now checks whether the password has expired as well as whether the cookie section has expired.
During admin user login the form keys are renewed.
6. Import entities validation
The patch adds validation of the import entity model to the import process. The import entity models are declared in the config.xml files. Valid model types are:
- importexport/import_entity_product
- importexport/import_entity_customer
- enterprise_importexport/import_entity_product (EE only)
So the custom import entity model should be declared with a proper syntax in the proper third party extension. This one may require proper update release for the import extensions.
8. Downloadable products
Downloadable product default content disposition is changed from “inline” to “attachement”. Current configuration for the content disposition is removed via install script. Also, a warning to not use the “inline” content disposition is added.
9. Minor changes
Some minor changes are less significant, so they are gathered here:
- Admin create backup action requires a form key now;
- Order shipping information has a strict comparison of the protect code instead of regular one. The same is for the Magento Commerce RMA shipping info.
- Gift registry (Magento Commerce only): additional check is added, so the current customer session should match the customer address data that is loaded.
Conclusion
Most of the changes are intended to protect your store from low access level admin user injections as well as two previous Magento 1 security patches. We strongly recommend to give access to your Magento admin only to trusted people, and keep your Magento safe by installing all the security patches and implementing all the security recommendations.
Thanks for reading!