SUPEE-6788 is a bundle of patches that resolve several security-related issues.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Information Leakage (Internal)
|Error Reporting in Setup Exposes Configuration|
|Error messages generated during the Magento installation, or during a failed extension installation, can expose the Magento configuration and database access credentials. In most cases, the database server is configured to prevent external connections. In other cases, the information can be exploited, or tied to another attack.|
|Filter Directives Can Allow Access to Protected Data|
|Email template filter functionality can be used to call blocks exposing customer information like last orders or integration passwords. While this functionality is used internally in Magento safely, we were informed about external extensions that use it to process user input like blog comments. This allows to access protected information from store front.|
Issue Type: XXE/XEE (XML Injection)
|XXE/XEE attack on Zend XML functionality using multibyte payloads|
|Magento can be forced to read XML via API calls containing ENTITY references to local files, possibly reading password or configuration files. While Zend Framework filters out ENTITY references, they can be encoded as multi-byte characters to avoid detection.|
Issue Type: SQL Injection
|Potential SQL Injection in Magento Core Model Based Classes|
|addFieldtoFilter method does not escape field name. Although core Magento functionality is not affected, this issue might impact third-party extensions such as layered navigation extensions. Such extensions might be exploited from the storefront to execute any SQL queries.|
Issue Type: Remote Code Execution (RCE)
|Potential remote code execution using Cron|
|Cron.php script is available for anyone to call and itself calls command line functions. It makes is a possible target for the Shellshock vulnerability (which should be fixed on the server). Additionally, the command passed to shell is not escaped, which in case of a directory named as a shell command can result in code execution – such attack requires however additional access to create directories with arbitrary names, like hosting panel. While scored as high, the attack is not exploitable by itself.|
|Remote Code Execution/Information Leak Using File Custom Option|
|Custom option values are not cleared when the custom option type is switched. This makes it possible to inject malicious serialized code into a custom option of the “text” type, and execute it by switching the custom option type to “file.”To exploit this remote code execution attack the store has to use custom options and a store administration account with access to catalog/products.|
Issue Type: Cross-site Scripting (XSS) - reflected, Cross-site Request Forgery (CSRF)
|Cross site scripting with error messages/CSRF/Session fixation|
|Error messages on store front pages are not escaped correctly, enabling self XSS issue. This issue, together with lack of CSRF protection on create account form can result in session fixation.|
|Cross-site Scripting/Cache Poisoning|
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6788 patch, please contact our support team.