Magento has released a new security patch named SUPEE-10415 addressing various issues in Magento 1.x platform. We highly recommend merchants using Magento 1.x platform to install this as soon as possible to avail the benefits of the fixes.
SUPEE-10415, Magento Commerce 18.104.22.168, and Open Source 22.214.171.124 contain various security enhancements that help to fix vulnerabilities such as the following:
- Cross-site request forgery (CSRF)
- Denial-of-Service (DoS)
- Authenticated Admin user remote code execution (RCE)
These releases also include a fix for prior customers who had issues patching caused by SOAP v1 interactions in WSDL.
Information on all the changes in Magento Commerce 126.96.36.199 and Open Source 188.8.131.52 releases are available in the Magento Commerce and Magento Open Source release notes. For more information click here.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 184.108.40.206 – 220.127.116.11: SUPEE-10415 or upgrade to Magento Commerce 18.104.22.168.
- Magento Open Source 22.214.171.124 – 126.96.36.199: SUPEE-10415 or upgrade to Magento Open Source 188.8.131.52.
Before installing the patch, check if the old patches have been installed correctly. Some patches might require other patches to be installed already. You can use magereport.com to check the patches installed on your site.
- Disable Magento Compiler and clear the compiler cache.
- Disable Symlinks setting. In the Magento backend, navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already.
- Be sure to test the patch in a development environment first, as it can affect extensions and customizations.
Make Sure Your Site is Healthy for the Holidays!!
- Non standard Magento code can have a negative impact on your holiday sales.
- If you are unsure about the performance of your online store, talk to us.
Please upload the patch into your Magento root directory and run the appropriate SSH command:
For patch files with the file extension .sh:
Example: sh PATCH_SUPEE-1868_CE_184.108.40.206_v1.sh
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Example: patch –p0 < PATCH_SUPEE-1868_CE_220.127.116.11_v1.patch
Upon completion, refresh the cache in the Admin under “System > Cache Management” for the changes to get reflected. We highly recommend you to test all patches in a test environment before taking them live.
For further instructions, see: Installing a Patch for Community Edition
- Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when an user loads the Admin.
- The one-page checkout page now displays the “No payment information required” message when a customer checks out an order for which no amount is due. Magento versions prior to 18.104.22.168 included this message, but it was missing from v22.214.171.124.
- The typo in the patch header information has been fixed. (autocomplete=”new-pawwsord” is now autocomplete=”new-password”.)
- Magento no longer supports custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv. For more information, navigate to Developers > Log Settings from the Admin. Magento displays this comment: “Logging from Mage::log()”. File is located in /var/log.
- Passwords for new users are now limited to 256 characters. If a new user enters a password that exceeds 256 characters, Magento displays this message: “Please enter a password with at most 256 characters”.