好了,有人要问这个问题:今天,2015年7月7日,发布了适用于Magento <1.9.2的新安全补丁。
尽快更新您的商店!
但是发生了什么变化?是否存在针对涵盖的安全问题的已知利用?可能发生的最坏情况是什么?
还有什么可以打破的吗?就像SUPEE-5994一样,如果缺少下载程序目录,则无法应用补丁...
Answers:
如前所述,已修补的漏洞在此官方页面(新商人文档)上有详细描述:http : //merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html
该捆绑软件包括针对以下与安全性有关的问题的保护:
- 通过RSS和特权升级的客户信息泄漏
- 在Magento中请求伪造将线索连接到代码执行
- 愿望清单中的跨站点脚本
- 购物车中的跨站点脚本
- 商店路径披露
- 日志文件权限太宽
- Admin中的跨站点脚本
- 订单中的跨站点脚本RSS
在修补了一些商店之后,这就是我收集的内容:
一些主题文件已进行了修补,并添加了转义功能,以防止可能的XSS攻击:
checkout/cart.phtmlcheckout/cart/noItems.phtmlcheckout/onepage/failure.phtmlrss/order/details.phtmlwishlist/email/rss.phtml如果您的主题包含这些模板中的任何一个,或者直接在其中进行了修改base/default(祝您好运,这很麻烦),那么您需要手动对其进行修补:
在结帐模板中,替换所有出现的
$this->getContinueShoppingUrl()与
Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())在中wishlist/email/rss.phtml,替换
$this->helper('wishlist')->getCustomerName()与
Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())在中rss/order/details.phtml,替换
<?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br />
<?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br />
与
<?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?>
<?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br />
<?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />
.htaccess文件已添加到downloader/Maged并且downloader/lib不允许直接访问源文件。如果您使用nginx,则需要添加以下规则以实现相同的规则(为此,向Ben Lessani致敬):
location /downloader/Maged/ { deny all; }
location /downloader/lib/ { deny all; }
但是我还是建议downloader无论如何都不要从部署到实时系统的系统中进行部署,在这种情况下,您无需采取任何措施。
如果您使用受限管理员帐户,则第三方扩展名的某些菜单可能不再适用于它们。原因是默认的返回值Mage_Adminhtml_Controller_Action::_isAllowed()已从更改true为Mage::getSingleton('admin/session')->isAllowed('admin')。由于不使用ACL而不在其管理控制器中覆盖此方法的扩展现在需要“ ALL”特权。
唯一的解决方案是修补扩展并将此方法添加到其所有管理控制器中:
protected function _isAllowed()
{
return true;
}
或者,如果它们实际上具有在中定义的ACL资源etc/adminhtml.xml:
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}
(您可以看到该补丁Phoenix_Moneybookers在旧版的Magento版本(如1.7)中具有相同的功能,其中包含此扩展名)
有关此问题的更详细的观点以及如何定义缺少的ACL资源的解释,请参阅:安装SUPEE-6285后访问拒绝的错误。
信息:
can't find file to patch at input line 899
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
|index 982ad5a..2bf6b37 100644
|--- app/design/frontend/default/modern/template/checkout/cart.phtml
|+++ app/design/frontend/default/modern/template/checkout/cart.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
原因:该default/modern主题是从安装中删除
解决方案:app/design/frontend/default/modern从全新的Magento下载中添加(应该与您的商店的版本相同)。您也可以使用此镜像:https : //github.com/firegento/magento。然后,在成功应用补丁之后,您可以再次删除主题。
信息
patching file downloader/Maged/.htaccess
can't find file to patch at input line 915
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Controller.php downloader/Maged/Controller.php
|index aa9d705..32755d7 100644
|--- downloader/Maged/Controller.php
|+++ downloader/Maged/Controller.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
5 out of 5 hunks ignored
can't find file to patch at input line 976
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Model/Session.php downloader/Maged/Model/Session.php
|index 18020eb..7013c94 100644
|--- downloader/Maged/Model/Session.php
|+++ downloader/Maged/Model/Session.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
patching file downloader/lib/.htaccess
can't find file to patch at input line 1020
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages.phtml downloader/template/connect/packages.phtml
|index 9cca5a6..f42e74e 100644
|--- downloader/template/connect/packages.phtml
|+++ downloader/template/connect/packages.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 1049
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages_prepare.phtml downloader/template/connect/packages_prepare.phtml
|index f74c3df..86aa51b 100644
|--- downloader/template/connect/packages_prepare.phtml
|+++ downloader/template/connect/packages_prepare.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1061
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/login.phtml downloader/template/login.phtml
|index 6e4cd2c..dbbeda8 100644
|--- downloader/template/login.phtml
|+++ downloader/template/login.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1073
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/settings.phtml downloader/template/settings.phtml
|index 13551ac..47ab411 100644
|--- downloader/template/settings.phtml
|+++ downloader/template/settings.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
原因:该downloader目录已从安装中删除
解决方案:downloader从全新的Magento下载中添加(应该与您的商店的版本相同)。您也可以使用此镜像:https : //github.com/firegento/magento。然后,成功应用补丁后,您可以再次删除目录。
讯息:类似
checking file app/design/frontend/base/default/template/checkout/cart.phtml
Hunk #1 FAILED at 97 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/cart/noItems.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/onepage/failure.phtml
Hunk #1 FAILED at 29 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/rss/order/details.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/wishlist/email/rss.phtml
Hunk #1 FAILED at 25 (different line endings).
1 out of 1 hunk FAILED
原因:文件存储时使用\r\n(CRLF,Windows换行符)或\r(CR,Mac换行符)而不是\n(LF,Unix换行符)。
解决方案:只需转换换行符,您的文本编辑器或IDE应该可以做到这一点。
_isAllowed方法。幸运的是,我们确实在模块中添加了ACL,除了添加方法之外,不需要其他操作。此外,我确实遇到了第一个错误消息,其default/modern主题已被移动(由于Git,我也找到了罪魁祸首)。为此+1
通过@ http://blog.philwinkle.com/supee-6285-broken-down/
通常,这涉及添加一个_isAllowed受保护的方法,该方法返回一个布尔值。有时,此布尔值是ACL检查的结果,就像对Adminhtml / controllers / Catalog / Category / WidgetController的更新一样。有时,例如与Adminhtml / controllers / AjaxController.php一样,这是硬编码为true的
添加完后:
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('system/config');
}
对于第3方负责人之一,管理科又开始“工作”了……
那么我们很快就会获得另一个Magento补丁?这似乎是一个更大的问题...
如果您有很多社区/本地扩展,您将需要特别注意SUPEE-6285中的此更改,该更改会影响app/code/core/Mage/Adminhtml/Controller/Action.php并围绕666行,具体取决于您的补丁程序版本(这是EE 1.14.0.1补丁文件):
protected function _isAllowed()
{
- return true;
+ return Mage::getSingleton('admin/session')->isAllowed('admin');
}
所有未实现自己的管理资源的自定义模块均会受到上述更改的影响,除非该管理员用户具有完整的管理员权限,否则访问将被拒绝。
如果您在修补程序中的其他地方查看,您会看到很多包含的核心模块已更新,但是这可能会影响许多第三方模块,因此请特别注意在修补程序后测试网站中的任何第三方扩展,以检查您仍然可以访问它们!
补丁程序发布页面似乎已更新了有关其影响的信息。
我尚未在生产站点上安装并进行测试