Magento is releasing the following update, SUPEE-10415, to increase the product security of their Magento Open Source product.

This new patch affects the following editions:

  • Magento Open Source 1.9.3.7
  • SUPEE-10415 (patch for earlier Magento 1.x versions)

This new patch (SUPEE-10415) provides resolution of multiple critical security issues.  These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues.  We recommend upgrading your Magento store to this latest version.  See Magento Security Center for a comprehensive discussion of these issues.

 

SUPEE-10415: What else have they fixed?

In addition, they’ve fixed a couple of issues with the last releases of Magento Open Source:

  • Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin.
  • The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required.  Magento versions prior to 1.14.3.3 included this message, but it was missing from v1.14.3.3.
  • They’ve also fixed a typo in the patch header information. (autocomplete=”new-pawwsord” is now autocomplete=”new-password”.)

 

There has also been a couple of other changes too:

  • They no longer support custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv.  For more information, navigate to Developers > Log Settings from the Admin.  Magento displays this comment: Logging from Mage::log().  File is located in /var/log.  Allowed file extensions: log, txt, html, csv.
  • Passwords for new users are now limited to 256 characters.  If a new user enters a password that exceeds 256 characters, Magento displays this message: Please enter a password with at most 256 characters.

 

Our recommendations

This release contains multiple security changes that help close cross-site scripting and authenticated Admin user remote code execution vulnerabilities.  In order to maintain the security of your online shop, we strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.  If we host your site directly, we may have already upgraded your system however you are always advised to contact us to check.

If you are not currently one of our customers, and would like to talk to us – then please get in touch.  We offer a range of web hosting and design services for the smallest to the largest online retailers…