Applying Magento CE SUPEE-5994 Security Patch Bundle (May 2015)
This comes just weeks after the major patch releases SUPEE-5344 to protect against the Shoplift bug but this patch is still required, even if you applies SUPEE-5344 and/or SUPEE-1533 (which Magento notified stores of at the same time). Even if you are running the very latest version of Magento (220.127.116.11 at the time of writing this), you will need to apply security patch SUPEE-5994 as the security vulnerabilities it patches have not been rolled out in a stable Magento release as of yet.
Please note: This only affects Magento CE versions. If you’re running a version of Magento EE, this patch does not apply to you and you need not worry.
You can read Magento’s official notice on this below:-
To further secure the Magento platform from potential attacks, we are releasing a new patch (SUPEE-5994) with multiple critical security fixes today. The patch addresses a range of issues, including scenarios where attackers can gain access to customer information. These vulnerabilities were gathered through our multi-point security program, and we have received no reports of merchants or their customers being impacted by these issues.
All versions of Magento Community Edition software are impacted and we strongly recommend that you work with your Solution Partner or developer to immediately deploy this critical patch. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344). More information about the security issues is available in the Appendix of the Magento Community Edition user guide.
You can download the patch from the Community Edition download page.Look for the SUPEE-5994 patch. The patch is available for Community Edition 1.4.1– 18.104.22.168.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches on Magento Community Edition is available online.
What patches are included in SUPEE-5994?
SUPEE-5994 is a bundle of seven patches that resolves the following security-related issues.
- Admin Path Disclosure
An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
- Customer Address Leak through Checkout
Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.
During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.
This attack can be fully automated, and a functional proof of concept exists.
- Customer Information Leak through Recurring Profile
This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers.
The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.
This attack can be fully automated, and a manual proof of concept exists.
- Local File Path Disclosure Using Media Cache
Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
- Spreadsheet Formula Injection
Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
- Cross-site Scripting Using Authorize.Net Direct Post Module
- Malicious Package Can Overwrite System Files
Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.
Applying & Installing Patch SUPEE-5994
Head to the Magento downloads page and download the SUPEE-5994 security patch from the ‘Magento Community Edition Patches’ section. The same patch bundle applies to Magento versions 22.214.171.124 – 126.96.36.199. If you’re running an earlier version than that, then grab the patch for the necessary version 1.4.X or 1.5.X although you should really consider updating your Magento as soon as you can.
Once you have downloaded the correct patch for your version of Magento, upload it to your Magento root (this is where you will see the Magento folders like app, media, skin etc).
Then SSH into your server (check this out for applying this patch if you don’t have SSH access) in your preferred method, navigate to your Magento root and apply the patch like below (change the name of your patch file to match the version you have):-
This will return whether the patch was applied/reverted successfully (if you receive any errors, feel free to leave a comment below with details). Hopefully, all should be good.
Be sure to clear your Magento cache after applying the patch:-
rm -rf var/cache/*
Don’t forget to remove the patch files from your Magento root once you have applied them.
All our hosted Magento clients, those through The Clubnet Group / ClubnetSEM will be patched as part of our hosting service at no extra cost.
If your store is affected and you need some assistance, you can hire us to apply your security patches for you.