Re: Security Scan supee-10415 false positive?

amstatonline · ‎04-18-2018

We are receiving an alert that supee-10415 is not installed from magento security scanner but it is installed according to applied.patches.list. Do you know how the scanner is confirming that it is installed? magereport.com says it is patched.

here is the output from applied.patches.list:

patching file app/Mage.php

patching file app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php

patching file app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php

patching file app/code/core/Mage/Adminhtml/Block/Review/Add.php

patching file app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

patching file app/code/core/Mage/Adminhtml/Controller/Action.php

patching file app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php

patching file app/code/core/Mage/Api/Helper/Data.php

patching file app/code/core/Mage/Api/Model/Server/Adapter/Soap.php

patching file app/code/core/Mage/Api/Model/Wsdl/Config.php

patching file app/code/core/Mage/Api/Model/Wsdl/Config/Base.php

patching file app/code/core/Mage/Core/Helper/String.php

patching file app/code/core/Mage/Core/Model/File/Validator/Image.php

patching file app/code/core/Mage/Core/etc/config.xml

patching file app/code/core/Mage/Core/etc/system.xml

patching file app/code/core/Mage/Customer/Model/Customer.php

Hunk #2 succeeded at 852 (offset 7 lines).

patching file app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php

patching file app/code/core/Mage/Log/Helper/Data.php

patching file app/code/core/Mage/Rule/Model/Abstract.php

patching file app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php

patching file app/code/core/Zend/Form/Decorator/Form.php

patching file app/design/adminhtml/default/default/template/backup/dialogs.phtml

patching file app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml

patching file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml

patching file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml

patching file app/locale/en_US/Mage_Adminhtml.csv

patching file app/locale/en_US/Mage_Customer.csv

patching file js/mage/adminhtml/backup.js

patching file lib/Varien/Filter/FormElementName.php

Damian Culotta · ‎04-18-2018

Hi @amstatonline,

Maybe @msavich can help here.

If not you can contact Magento Security Team regarding the security scan tool over support team or directly at security@magento.com.

msavich · ‎04-18-2018

Please write the email to security@magento.com and provide your store URL so I can investigate why it is failing.

amstatonline · ‎05-04-2018

I have sent to security@magento.com as well as securityscan@magento.com and haven't received any updates. Can someone give some details on what is actually checked for to confirm the patch is applied?

Also, securityscan@magento.com was rejected saying the user is set up to not receive emails outside of the organization but that is the email included at the bottom of the security scan emails.

jtsteer · ‎05-08-2018

We were not aware that securityscan@magento.com was not enabled to receive external email. We will research and get this corrected.

Thank yoh

jtsteer · ‎05-17-2018

securityscan@magento.com is now enabled to receive external email.

Thank you,

Magento Security

dannxym43 · ‎07-20-2018

I'm still waiting on a reply from the securityscan email as well.

Flipmedia · ‎12-17-2018

We found that this issue flagged up in conjunction with: "Your server supports TLSv1.0. Please update your configuration to discontinue TLSv1.0 support"... On fixing this issue the error for supee-10415 was removed.