Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SUPEE-6285 - 1.4.1 / 1.5

SOLVED
Go to solution
‎07-09-2015 11:15 AM
‎07-09-2015 11:15 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi all, current ETA for the 1.4 & 1.5 patches is late next week. 

 

I realize upgrading from these versions to a recent version is a massive task, but I would like to emphasize again that these are very outdated (2010-2011) versions of Magento and it's definitely highly reccomended to upgrade to a new version.

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
‎07-10-2015 10:36 AM
‎07-10-2015 10:36 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

how is 1.5 affected?
as far as I can see, its not that bad.

 

Customer Information Leak via RSS and Privilege Escalation

  • I can not find any RSS settings in 1.5
  • I assume 1.5 is not affected
  • had the module-output of mage_rss disabled
  • overload RSS controller in code/local, empty out actions

Request Forgery in Magento Connect Leads to Code Execution

  • disable the magento connect (use .htaccess to block, or similar)

Cross-site Scripting in Wishlist

  • disable wishlist

Cross-site Scripting in Cart

  • minor risk
  • maybe can be fixed in template?

Store Path Disclosure

  • agagin, remove/disable magento connect (use .htaccess to block, or similar)

Permissions on Log Files too Broad

  • don't care

Cross-site Scripting in Admin

  • this implies one user attacks another
  • hopefully not relevant for your store, i.e. you trust your admins/users

Cross-site Scripting in Orders RSS

  • RSS again, can not verify where RSS is supposed to be in 1.5
  • had the module output disabled
‎07-10-2015 11:59 AM
‎07-10-2015 11:59 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

RSS module and Downloadables module add extra overhead if you don't need them, I've had them disabled by their respective XML files in app/etc/modules since back in 1.4.x.x going forward to 1.7.x.x

 

In Mage_All.xml

 

        <Mage_Rss>
            <active>false</active>
            <codePool>core</codePool>
             <depends>
                <Mage_Catalog/>
                <Mage_CatalogInventory/>
                <Mage_Sales/>
                <Mage_SalesRule/>
                <Mage_Wishlist/>
             </depends>
        </Mage_Rss>

No module load, no exploit. The RSS feed is able to squitter out a lot of sensitive information on it's admin feeds with absolutely no authentication.

 

Some of the other items are actually quite bad, just nobody knows who's going to become a future statistic yet.

0 Kudos
‎07-14-2015 04:56 AM
‎07-14-2015 04:56 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

Thanks for the update Sherrie, we've got a few old clients still running 1.4 and 1.5, so getting the patch installed for them would be excellent. We've actually used this opportunity to reach out to these clients to talk about upgrading to 1.9.

0 Kudos
‎07-16-2015 11:45 PM
‎07-16-2015 11:45 PM

Re: SUPEE-6285 - 1.4.1 / 1.5

Any news when this patch will be released for 1.4.1?

 

Best regards,

Otto

0 Kudos
‎07-17-2015 10:31 AM
‎07-17-2015 10:31 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

Checking on this now @basenic, as soon as I know it's live, I'll update here.

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
0 Kudos
‎07-17-2015 02:11 PM
‎07-17-2015 02:11 PM

Re: SUPEE-6285 - 1.4.1 / 1.5

Hey all, 1.4 and 1.5 patches are now available here: https://www.magentocommerce.com/download Smiley Happy

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
0 Kudos
‎07-18-2015 02:51 PM
‎07-18-2015 02:51 PM

Re: SUPEE-6285 - 1.4.1 / 1.5

Hey, thanks for the update post.

 

And a note to all, if you're running 1.6.2.0 and previous, time is ticking on getting your sites upgraded. The next major issue, you might find you're running Windows XP in a Windows 10 world. Not good for your customers...

0 Kudos
‎07-20-2015 07:36 AM
‎07-20-2015 07:36 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi,

 

I've noticed there isn't a patch for 1.5.0.1. Will a patch be released or does anyone running 1.5.0.1 need to use another patch?

 

Kind Regards,

 

Nick

0 Kudos
‎07-20-2015 09:29 AM
‎07-20-2015 09:29 AM

Re: SUPEE-6285 - 1.4.1 / 1.5

Hi @NickC90, the 1.5.1 patch is compatible with 1.5.0.0 thru 1.5.1.0 so you can use it. Smiley Happy

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical