Magento released a new patch (SUPEE-6788) for the Community Edition 1.9 and Enterprise Edition 1.14 to address security issues, including remote code execution and information leak vulnerabilities.
Be sure to test the patch in a development environment first, as it can affect extensions and customizations.
Downloading the patch:
You can download the patch for both Community Edition and Enterprise Edition from the following options:
- Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled “Security Patches – July October.”
- Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – October 2015” .Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.
- Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6788). Merchants can also upgrade today to the latest version of the Community Edition and receive the security fixes as part of the core code.
Before Installing the Patch:
Before installing the patch check whether old patches are installed correctly. Some patches depend on other patches to be installed already. Check old patches are installed correctly using the site https://www.magereport.com/.
Installing the patch:
If you have SSH access, it would be simpler to install the patch. Before installing the patch make sure to disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache (if compiler is used). To apply and revert the Magento security patch, please see the link below.
If you have no SSH access, then to apply to the patch, you can simply upgrade your installation to the latest Magento version. Otherwise you can apply the patch via FTP/SFTP upload described in this article.
After installing the patch:
After the patch is installed successfully, check whether all CMS , home page, category pages and landing pages are running correctly without any issues. Magento security patch Supee 6788 affects the page layout, transaction emails and order confirmation notifications.
The Magento security patch supee 6788 has introduced new permissions for blocks, core variables on CMS pages, templates and extensions. You can add your blocks in the admin section under System -> Permissions -> Blocks, or via setup scripts adding to the permission_block table.
Also, check if any other pages or blocks or transactional emails have been affected.
Risks of not installing the security patch:
Through external modules hackers can find the secret admin front name. An outsider getting to know the admin name is very risky as there are chances of dictionary attack. So, it recommended to implement this patch immediately.