By Brad Leslie, Certified Magento Developer at InteractOne
SUPEE-7405 is the latest security patch released from Magento.
“During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.”
In a nutshell, SUPEE-7405’s most important fix is that it blocks hackers from breaking into your admin and taking over your store. Clearly SUPEE-7405 is critical to have installed. Developers should estimate around 3-4 hours to install the patch locally, test and fix, push to dev, allow the client to test, and then deploy to production.
However, below is a list of changes that may arise after SUPEE-7405 is applied. These will need to be evaluated on a site-by-site basis, depending on the extensions you have installed.
Admin
Better validation in admin when logging in via URL
Protect against executable code within order comments and exported grid data
Improved case handling when validating admin actions
New validation for admin file uploads so executable files can’t be uploaded as images
Image validator
Improved forgot password validation
Frontend / Core
Protected un-sterilization of user data
Improved validation for new accounts
Cleaned up Authorize.net integrations related to order data at the time of order placement / success
Sanitize product option data so code can’t be executed
Improved exception handling in email queue process
Added the ability to renew a form key
Escape data that’s output on the frontend (products, reviews, etc)
Improved guest data handling
Added Zend XML security class
Extensions
Mass action / report extensions that override CSV exports
Product / slider / swatch extensions or anything else dealing with image uploads
Auth.Net
Payflow (PayPal)
Grid extensions
Misc
- Themes should be sanitizing all object data output on the frontend (this is already a best practice)
We stress that Magento Security Patch SUPEE-7405 is VERY important. Without it, you’re exposed to vulnerabilities that exist throughout your Magento installation on both the front end and the admin.
Contact us to get your site patched up ASAP.