cancel
Showing results for 
Search instead for 
Did you mean: 

Issue with SUPEE-6788 form_key tokens

Highlighted

Issue with SUPEE-6788 form_key tokens

A Magento 1 site I'm working on (v1.9.4.1) has been failing its security scan, it says that security patch SUPEE-6788 is not installed correctly.  Given that that patch was introduced as always installed in v1.9.2.2, this was rather odd to us.  We did some digging and it turns out that the "form_key" anti-forgery token hidden fields, that SUPEE-6788 apparently introduced, were missing from some of the standard forms on the site.  We are trying to figure out why exactly the form_key fields are in fact missing, we have already looked at all the plugins and themes but have so far found nothing that would override the default form code (which DOES have the form_key fields there, so the core code wasn't altered).  So if anyone has any answers or insight, it would be appreciated.  Thanks.

1 REPLY 1
Highlighted

Re: Issue with SUPEE-6788 form_key tokens

Hi @milestech 

 

Does the report mention on which page it fail? If you are using custom modules are those fixed for APPSEC-1034, addressing bypassing custom admin URL issue?

Please refer https://magento.com/security/patches/supee-6788-technical-details

---
Problem Solved Click Accept as Solution!:Magento Community India Forum