- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Hi all, current ETA for the 1.4 & 1.5 patches is late next week.
I realize upgrading from these versions to a recent version is a massive task, but I would like to emphasize again that these are very outdated (2010-2011) versions of Magento and it's definitely highly reccomended to upgrade to a new version.
Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
how is 1.5 affected?
as far as I can see, its not that bad.
Customer Information Leak via RSS and Privilege Escalation
I can not find any RSS settings in 1.5I assume 1.5 is not affected- had the module-output of mage_rss disabled
- overload RSS controller in code/local, empty out actions
Request Forgery in Magento Connect Leads to Code Execution
- disable the magento connect (use .htaccess to block, or similar)
Cross-site Scripting in Wishlist
- disable wishlist
Cross-site Scripting in Cart
- minor risk
- maybe can be fixed in template?
Store Path Disclosure
- agagin, remove/disable magento connect (use .htaccess to block, or similar)
Permissions on Log Files too Broad
- don't care
Cross-site Scripting in Admin
- this implies one user attacks another
- hopefully not relevant for your store, i.e. you trust your admins/users
Cross-site Scripting in Orders RSS
RSS again, can not verify where RSS is supposed to be in 1.5- had the module output disabled
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
RSS module and Downloadables module add extra overhead if you don't need them, I've had them disabled by their respective XML files in app/etc/modules since back in 1.4.x.x going forward to 1.7.x.x
In Mage_All.xml
<Mage_Rss> <active>false</active> <codePool>core</codePool> <depends> <Mage_Catalog/> <Mage_CatalogInventory/> <Mage_Sales/> <Mage_SalesRule/> <Mage_Wishlist/> </depends> </Mage_Rss>
No module load, no exploit. The RSS feed is able to squitter out a lot of sensitive information on it's admin feeds with absolutely no authentication.
Some of the other items are actually quite bad, just nobody knows who's going to become a future statistic yet.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Thanks for the update Sherrie, we've got a few old clients still running 1.4 and 1.5, so getting the patch installed for them would be excellent. We've actually used this opportunity to reach out to these clients to talk about upgrading to 1.9.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Any news when this patch will be released for 1.4.1?
Best regards,
Otto
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Checking on this now @basenic, as soon as I know it's live, I'll update here.
Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all, 1.4 and 1.5 patches are now available here: https://www.magentocommerce.com/download
Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Hey, thanks for the update post.
And a note to all, if you're running 1.6.2.0 and previous, time is ticking on getting your sites upgraded. The next major issue, you might find you're running Windows XP in a Windows 10 world. Not good for your customers...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Hi,
I've noticed there isn't a patch for 1.5.0.1. Will a patch be released or does anyone running 1.5.0.1 need to use another patch?
Kind Regards,
Nick
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SUPEE-6285 - 1.4.1 / 1.5
Hi @NickC90, the 1.5.1 patch is compatible with 1.5.0.0 thru 1.5.1.0 so you can use it.
Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
- « Previous
-
- 1
- 2
- Next »