• What is SUPEE-6788?
  • Is the patch released now?
  • Who will get affected by this patch?
  • What all vulnerabilities addressed by this patch?
  • Is there any breakdown of extensions with this patch?
  • What should we do?
  • What is SUPEE-6788?
    SUPEE-6788 is a Magento Security Patch.
    SUPEE-6788 is set of patches which resolves several security related issues.
    In this patch its mainly addressed to bypass custom admin URL.
    Is the patch released now?
    Yes, this patch released on October 27, 2015
    Who will get affected by this patch?
    All Magento Community Edition prior to 1.9.2.2, and Magento Enterprise Edition prior to 1.14.2.2
    What all vulnerabilities addressed by this patch?

    Following is the vulnerabilities addressed by this patch:

    • Error Reporting in Setup Exposes Configuration - APPSEC-1102
    • Filter Directives Can Allow Access to Protected Data - APPSEC-1057
    • XXE/XEE attack on Zend XML functionality using multibyte payloads - APPSEC-1045
    • Potential SQL Injection in Magento Core Model Based Classes - APPSEC-1063
    • Potential remote code execution using Cron - APPSEC-1037
    • Remote Code Execution/Information Leak Using File Custom Option - APPSEC-1079
    • Cross site scripting with error messages - APPSEC-1039
    • Potential remote code execution using error reports and downloadable products - APPSEC-1032
    • Admin Path Disclosure - APPSEC-1034
    • Insufficient Protection of Password Reset Process - APPSEC-1027
    • Dev Folder Not Protected - APPSEC-1124
    • Cross-site Scripting/Cache Poisoning - APPSEC-1030
    Is there any breakdown of extensions with this patch?

    If any extension that has admin functionality and uses non-default admin URLs (Custom Admin URLs) they will be affected by this patch.

    Example:
    Correct: http://www.mywebsite.com/admin/mymodule
    Wrong: http://www.mywebsite.com/mymodule/admin


    Note: There are some other breakdowns, please refer the link for more info: http://magento.com/security/patches/supee-6788-technical-details
    What should we do?

    Please install the security patch. You can easily download this security patch from Magento Account.

    While apply any new patch, its important to apply previous released patch as per Magento CE or EE version requirement.

    Note : Before applying patches on production server, best practice is to apply this patch first in development server.

    After testing if you feel that its working fine as expected then move to production server.