Dec
7
2016

An overview of Magento 1.x security patches

Magento is a great ecommerce platform, and like any open source platform, it requires a degree of maintenance to keep it running smoothly and securely.

Magento themselves publish a list of the patches on their website; this article explores what a Magento security patch is, and a brief overview of what issue each patch resolves.

What is a Magento security patch?

A Magento security patch addresses one or more known security issues with Magento. Sometimes, these are exploits which have made their way on the real-life, production Magento websites. Other patches are precautionary, fixing a potential loophole which could be exploited in the future, but which isn’t known to have been used on a production Magento store.

After their initial release, Magento security patches are packaged with the next update to Magento software.

A brief overview of all Magento 1.x security patches

Below is a list of all current Magento 1.x security patches (as of December 2016; in progress).

Patch name
(Date released)
Description Comments
SUPEE-8788 (October 2016) Addresses issues with Zend framework (which Magento is based on), payment vulnerabilities. 8788 also addresses a potential issue with user sessions, ensuring they are invalidated after a user logs out.

This patch is included in Magento Community Edition 1.9.3 Magento Enterprise 1.14.3.

SUPEE-7405 (February 2016) SUPEE-7405 addresses issues with XSS (cross-site scripting) vulnerabilities in customer registration, customer order comments, and removes the ability to upload executable code via the Magento administration panel media browser tool, as well as other security issues.

This patch is included in Magento Community Edition 1.9.2.4 Magento Enterprise 1.14.2.4.

The first version of the patch introduced issues with Magento’s SOAP API and was not backwards compatible with PHP 5.3 due to short array syntax use. Version 1.1 of the patch addresses these and other issues in SUPEE-7405 v1.0.
SUPEE-6788 (October 2015) The SUPEE-6788 Magento patch addresses issues with the routing of Magento modules in the administration panel, as well as SQL injection, and introducing a whitelist for CMS static blocks to prevent unauthorised access to private information. It also addresses a potential exploit with the “custom option” file type, and secures password resets (which may require you to update your theme’s forms for password reset and account registration). Finally, it addresses an XSS issue.

This patch is included in Magento Community Edition 1.9.2.2 Magento Enterprise 1.14.2.2.

SUPEE-6788 can break backwards compatibility with customisations to your Magento store; see Magento’s tech docs for more information.

Need help with Magento patches?

If you’re struggling with applying Magento security patches, our experienced Magento consultants can help you on an ad-hoc or retained monthly Magento support package