cancel
Showing results for 
Search instead for 
Did you mean: 

Security Scan supee-10415 false positive?

Security Scan supee-10415 false positive?

We are receiving an alert that supee-10415 is not installed from magento security scanner but it is installed according to applied.patches.list. Do you know how the scanner is confirming that it is installed? magereport.com says it is patched.

 

here is the output from applied.patches.list:

-e -n 2018-03-08 16:41:40 UTC | SUPEE-10415-ce-1.9.0.1 | CE_1.9.0.1 | v1 | 0c7816c099d664748e9ce9a91986db3095558576 | Thu Nov 9 11:49:07 2017 +0200 | b6f6c048e281b65341be0514f05f498597db7686..HEAD

patching file app/Mage.php

patching file app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php

patching file app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php

patching file app/code/core/Mage/Adminhtml/Block/Review/Add.php

patching file app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

patching file app/code/core/Mage/Adminhtml/Controller/Action.php

patching file app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php

patching file app/code/core/Mage/Api/Helper/Data.php

patching file app/code/core/Mage/Api/Model/Server/Adapter/Soap.php

patching file app/code/core/Mage/Api/Model/Wsdl/Config.php

patching file app/code/core/Mage/Api/Model/Wsdl/Config/Base.php

patching file app/code/core/Mage/Core/Helper/String.php

patching file app/code/core/Mage/Core/Model/File/Validator/Image.php

patching file app/code/core/Mage/Core/etc/config.xml

patching file app/code/core/Mage/Core/etc/system.xml

patching file app/code/core/Mage/Customer/Model/Customer.php

Hunk #2 succeeded at 852 (offset 7 lines).

patching file app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php

patching file app/code/core/Mage/Log/Helper/Data.php

patching file app/code/core/Mage/Rule/Model/Abstract.php

patching file app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php

patching file app/code/core/Zend/Form/Decorator/Form.php

patching file app/design/adminhtml/default/default/template/backup/dialogs.phtml

patching file app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml

patching file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml

patching file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml

patching file app/locale/en_US/Mage_Adminhtml.csv

patching file app/locale/en_US/Mage_Customer.csv

patching file js/mage/adminhtml/backup.js

patching file lib/Varien/Filter/FormElementName.php

6 REPLIES

Re: Security Scan supee-10415 false positive?

Hi @amstatonline,

 

Maybe @msavich can help here.

If not you can contact Magento Security Team regarding the security scan tool over support team or directly at security@magento.com.

--
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution"

Re: Security Scan supee-10415 false positive?

Please write the email to security@magento.com and provide your store URL so I can investigate why it is failing.

Re: Security Scan supee-10415 false positive?

I have sent to security@magento.com as well as securityscan@magento.com and haven't received any updates. Can someone give some details on what is actually checked for to confirm the patch is applied?

 

Also, securityscan@magento.com was rejected saying the user is set up to not receive emails outside of the organization but that is the email included at the bottom of the security scan emails.

Re: Security Scan supee-10415 false positive?

We were not aware that securityscan@magento.com was not enabled to receive external email. We will research and get this corrected.

 

Thank yoh

Re: Security Scan supee-10415 false positive?

securityscan@magento.com is now enabled to receive external email. 

 

Thank you,

Magento Security

Highlighted

Re: Security Scan supee-10415 false positive?

I'm still waiting on a reply from the securityscan email as well.