SUPEE-6788: Magento® Security Patch

SUPEE-6788 is a Magento Security Patch.
SUPEE-6788 is set of patches which resolves several security related issues.
In this patch its mainly addressed to bypass custom admin URL.

Yes, this patch released on October 27, 2015

All Magento Community Edition prior to 1.9.2.2, and Magento Enterprise Edition prior to 1.14.2.2

Following is the vulnerabilities addressed by this patch:

• Error Reporting in Setup Exposes Configuration - APPSEC-1102
• Filter Directives Can Allow Access to Protected Data - APPSEC-1057
• XXE/XEE attack on Zend XML functionality using multibyte payloads - APPSEC-1045
• Potential SQL Injection in Magento Core Model Based Classes - APPSEC-1063
• Potential remote code execution using Cron - APPSEC-1037
• Remote Code Execution/Information Leak Using File Custom Option - APPSEC-1079
• Cross site scripting with error messages - APPSEC-1039
• Potential remote code execution using error reports and downloadable products - APPSEC-1032
• Admin Path Disclosure - APPSEC-1034
• Insufficient Protection of Password Reset Process - APPSEC-1027
• Dev Folder Not Protected - APPSEC-1124
• Cross-site Scripting/Cache Poisoning - APPSEC-1030

If any extension that has admin functionality and uses non-default admin URLs (Custom Admin URLs) they will be affected by this patch.

Example:
Correct: http://www.mywebsite.com/admin/mymodule
Wrong: http://www.mywebsite.com/mymodule/admin

Note: There are some other breakdowns, please refer the link for more info: http://magento.com/security/patches/supee-6788-technical-details

Please install the security patch. You can easily download this security patch from Magento Account.

While apply any new patch, its important to apply previous released patch as per Magento CE or EE version requirement.

Note : Before applying patches on production server, best practice is to apply this patch first in development server.

After testing if you feel that its working fine as expected then move to production server.