Security issues

On May 31 Magento released a new version of Magento (1.9.3.3) and a security patch (SUPEE-9767) for all previous versions. Like always we began to implement this for our customers as soon as possible to make sure they are secure. But this time we stumbled across some problems.

Symlink issue

Magento tried to fix a security issue by removing the option to use symlinks from the Admin Panel. But you still can use symlinks by setting the config value "dev/template/allow_symlink" to "1" directly in the database. Also if you have previously enabled it, it still is using symlinks. For this case they implemented a warning in the backend to let the shop owner know this is the case. The problem is they made a little mistake in the layout file so this warning is never displayed.

In the file app/design/adminhtml/default/default/layout/main.xml around line 117 we see the following code:

  1. <block type="core/text_list" name="notifications" as="notifications">
  2. <block type="adminhtml/notification_baseurl" name="notification_baseurl" as="notification_baseurl" template="notification/baseurl.phtml"></block>
  3. <block type="adminhtml/cache_notifications" name="cache_notifications" template="system/cache/notifications.phtml"></block>
  4. <block type="adminhtml/notification_survey" name="notification_survey" template="notification/survey.phtml"/>
  5. <block type="adminhtml/notification_security" name="notification_security" as="notification_security" template="notification/security.phtml"></block>
  6. <block type="adminhtml/checkout_formkey" name="checkout_formkey" as="checkout_formkey" template="notification/formkey.phtml"/>
  7. <block type="adminhtml/notification_symlink" name="notification_symlink" template="notification/symlink.phtml"/>
Witch should be:
  1. <block type="core/text_list" name="notifications" as="notifications">
  2. <block type="adminhtml/notification_baseurl" name="notification_baseurl" as="notification_baseurl" template="notification/baseurl.phtml"></block>
  3. <block type="adminhtml/cache_notifications" name="cache_notifications" template="system/cache/notifications.phtml"></block>
  4. <block type="adminhtml/notification_survey" name="notification_survey" template="notification/survey.phtml"/>
  5. <block type="adminhtml/notification_security" name="notification_security" as="notification_security" template="notification/security.phtml"></block>
  6. <block type="adminhtml/checkout_formkey" name="checkout_formkey" as="checkout_formkey" template="notification/formkey.phtml"/>
  7. <block type="adminhtml/notification_symlink" name="notification_symlink" template="notification/symlink.phtml"/>
  8. </block>

The problem here (if you don’t see it right away) is that the "notification_symlink" block is outside the "notifications" block

Account creation issue within the checkout

Another security measure that they implemented are form-keys for the checkout. This way they prevent Cross-Site Request Forgery. The problem is that if you enable this security option (System → Configuration → Advanced: Admin → Security → Enable Form Key Validation On Checkout) the default checkout isn’t able to create accounts anymore. The order is processed but no account created.

The problem here was that the form key wasn't send to the saveMethodAction as Peter O'Callaghan pointed out. This morning Raphael came up with a temporary solution until version 2 of the patch is released by Magento.

Update (2017-07-12):
Magento released version 2 of this patch.

Date2 juni 2017 Author Martien Mortiaux
Tag