cancel
Showing results for 
Search instead for 
Did you mean: 

SUPEE-6285 - 1.4.1 / 1.5

SOLVED

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi all, current ETA for the 1.4 & 1.5 patches is late next week. 

 

I realize upgrading from these versions to a recent version is a massive task, but I would like to emphasize again that these are very outdated (2010-2011) versions of Magento and it's definitely highly reccomended to upgrade to a new version.

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

Re: SUPEE-6285 - 1.4.1 / 1.5

how is 1.5 affected?
as far as I can see, its not that bad.

 

Customer Information Leak via RSS and Privilege Escalation

  • I can not find any RSS settings in 1.5
  • I assume 1.5 is not affected
  • had the module-output of mage_rss disabled
  • overload RSS controller in code/local, empty out actions

Request Forgery in Magento Connect Leads to Code Execution

  • disable the magento connect (use .htaccess to block, or similar)

Cross-site Scripting in Wishlist

  • disable wishlist

Cross-site Scripting in Cart

  • minor risk
  • maybe can be fixed in template?

Store Path Disclosure

  • agagin, remove/disable magento connect (use .htaccess to block, or similar)

Permissions on Log Files too Broad

  • don't care

Cross-site Scripting in Admin

  • this implies one user attacks another
  • hopefully not relevant for your store, i.e. you trust your admins/users

Cross-site Scripting in Orders RSS

  • RSS again, can not verify where RSS is supposed to be in 1.5
  • had the module output disabled

Re: SUPEE-6285 - 1.4.1 / 1.5

RSS module and Downloadables module add extra overhead if you don't need them, I've had them disabled by their respective XML files in app/etc/modules since back in 1.4.x.x going forward to 1.7.x.x

 

In Mage_All.xml

 

        <Mage_Rss>
            <active>false</active>
            <codePool>core</codePool>
             <depends>
                <Mage_Catalog/>
                <Mage_CatalogInventory/>
                <Mage_Sales/>
                <Mage_SalesRule/>
                <Mage_Wishlist/>
             </depends>
        </Mage_Rss>

No module load, no exploit. The RSS feed is able to squitter out a lot of sensitive information on it's admin feeds with absolutely no authentication.

 

Some of the other items are actually quite bad, just nobody knows who's going to become a future statistic yet.

Re: SUPEE-6285 - 1.4.1 / 1.5

Thanks for the update Sherrie, we've got a few old clients still running 1.4 and 1.5, so getting the patch installed for them would be excellent. We've actually used this opportunity to reach out to these clients to talk about upgrading to 1.9.

Re: SUPEE-6285 - 1.4.1 / 1.5

Any news when this patch will be released for 1.4.1?

 

Best regards,

Otto

Re: SUPEE-6285 - 1.4.1 / 1.5

Checking on this now @basenic, as soon as I know it's live, I'll update here.

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

Re: SUPEE-6285 - 1.4.1 / 1.5

Hey all, 1.4 and 1.5 patches are now available here: https://www.magentocommerce.com/download Smiley Happy

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

View solution in original post

Re: SUPEE-6285 - 1.4.1 / 1.5

Hey, thanks for the update post.

 

And a note to all, if you're running 1.6.2.0 and previous, time is ticking on getting your sites upgraded. The next major issue, you might find you're running Windows XP in a Windows 10 world. Not good for your customers...

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi,

 

I've noticed there isn't a patch for 1.5.0.1. Will a patch be released or does anyone running 1.5.0.1 need to use another patch?

 

Kind Regards,

 

Nick

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi @NickC90, the 1.5.1 patch is compatible with 1.5.0.0 thru 1.5.1.0 so you can use it. Smiley Happy

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical