cancel
Showing results for 
Search instead for 
Did you mean: 

Find patches to check Security Scanner false positives

Re: Find patches to check Security Scanner false positives

Let's see....

It complains "XS Vulnerability - Failed. XSS Patch not detected (APPSEC-1716). Apply the Magento 2.2.5/2.1.14 Security Update"

 

That patch is described here

https://magento.com/security/patches/magento-2.2.5-and-2.1.14-security-update

but not offered for download.

 

(The mentioned header "X-Frame-Options=SAMEORIGIN" is set using the default options in app/etc/env.php)

 

The suggested search for 'APPSEC-1716 "code"' brings me to

https://magento.com/security/patches/magento-2.2.5-and-2.1.14-security-update

That site lists the patches by name and description but not the diff files. Only complete Magento releases.

I can download an entire comunity edition 2.2.5 there but I need to download ONLY the APPSEC-1716 patch (it's called a patch, so it is the output of the "diff" command to be applied with the "patch" command) so see what changes this one patch would have done and compare it to my Magento 2.3.x installation.

The URL says that I am supposed to be able to download patches there but Í can't.

A complete magenti-2.2.5 tarball is useless to me. What am I to do with it? Downloade from 2.3 to a super old version?

 

I also tried finding the patch mentioned in issues or pull requests in

https://github.com/magento/magento2

but had no success there.

 

Where do these APPSEC -numbers come from anyway? There is no mention of any of them in the Github where the Magento2 code is being developed.

 

So this security scanner is completely useless. Either some ages-old bug made a regression, but there is no way to check that because the mentioned patch numbers are useless to an administrator or it warns about bugs that are not there every single month and thus nobody will pay any attention to it's warnings anymore when it does find something.

Re: Find patches to check Security Scanner false positives

Nothing?

Why even have patch numbers when you can't look up that specific patch?

Re: Find patches to check Security Scanner false positives

API ACL Patch not detected (APPSEC-1378) - from Magento 2.0.4 

 

It will be fixed after changing configuration from magento admin panel Stores > Configuration > Services > Magento Web API > Set 'Allow Anonymous Guest Access' to No for Magento version higher then or equal to 2.0.4. 

 

Possibly other patches may also needs configuration change from admin panel, whose patch files  not available at magento tech-resources. 

 

Thanks

Re: Find patches to check Security Scanner false positives

 1)

It is off and 1378 is no longer an issue. Just "API ACL
(APPSEC-1679)", "XSS Patch not detected (APPSEC-1716)"

 

and that  "Google reCaptcha not detected." is classified as a FAIL instead  of a Warning or Note despite there being vey good reasons not to use a 3rd party service that has the ability to identify store customers.

2)

if it is always supposed to be off and a security risk if on, why is it a setting at all?

Re: Find patches to check Security Scanner false positives

I just learned that what led the Security Scanner to falsely claim that I didn't have certain patches installed was a misconfigured .htaccess file; this misconfiguration also led the Scanner to claim that not all HTTP traffic was redirected to HTTPS.

Re: Find patches to check Security Scanner false positives

I have upgraded the magento from 2.2.5 to  magento 2.4.1 version community edition and when checking the site in scan the report says following two  failed,

1. PRODSECBUG-2403 RCE Vulnerability patch has not been detected! (500)

2. XS Vulnerability - Failed.XSS Patch not detected (APPSEC-1716)

 

but I could not find the patch. When trying to download the patch its only allowing to download whole magento 2.3.2 or 2.3.3 version. Any one have idea on this?