View Larger Image SUPEE-6788: Magento Security Patch What is SUPEE-6788?Is the patch released now?Who will get affected by this patch?What all vulnerabilities addressed by this patch?Is there any breakdown of extensions with this patch?What should we do?What is SUPEE-6788?SUPEE-6788 is a Magento Security Patch. SUPEE-6788 is set of patches which resolves several security related issues. In this patch its mainly addressed to bypass custom admin URL.Is the patch released now?Yes, this patch released on October 27, 2015Who will get affected by this patch?All Magento Community Edition prior to 1.9.2.2, and Magento Enterprise Edition prior to 1.14.2.2What all vulnerabilities addressed by this patch?Following is the vulnerabilities addressed by this patch: Error Reporting in Setup Exposes Configuration - APPSEC-1102 Filter Directives Can Allow Access to Protected Data - APPSEC-1057 XXE/XEE attack on Zend XML functionality using multibyte payloads - APPSEC-1045 Potential SQL Injection in Magento Core Model Based Classes - APPSEC-1063 Potential remote code execution using Cron - APPSEC-1037 Remote Code Execution/Information Leak Using File Custom Option - APPSEC-1079 Cross site scripting with error messages - APPSEC-1039 Potential remote code execution using error reports and downloadable products - APPSEC-1032 Admin Path Disclosure - APPSEC-1034 Insufficient Protection of Password Reset Process - APPSEC-1027 Dev Folder Not Protected - APPSEC-1124 Cross-site Scripting/Cache Poisoning - APPSEC-1030 Is there any breakdown of extensions with this patch?If any extension that has admin functionality and uses non-default admin URLs (Custom Admin URLs) they will be affected by this patch. Example: Correct: http://www.mywebsite.com/admin/mymodule Wrong: http://www.mywebsite.com/mymodule/admin Note: There are some other breakdowns, please refer the link for more info: http://magento.com/security/patches/supee-6788-technical-detailsWhat should we do?Please install the security patch. You can easily download this security patch from Magento Account. While apply any new patch, its important to apply previous released patch as per Magento CE or EE version requirement. Note : Before applying patches on production server, best practice is to apply this patch first in development server. After testing if you feel that its working fine as expected then move to production server.Scroll Related Posts : 18 Tips to secure your WordPress site Magento Security Patch SUPEE-6788 Effects And Testing Oct 31st, 2015|