Magento SUPEE-5344 online vulnerability scanner

Why should I test my store and what SUPEE-5344 patch is about?

On Feb 9 2015 Magento announced serious security problem and provided security patch for it. In order to check if patch was applied or it was applied in right way we created this simple tool that will help you to test your store admin interface The installation of Magento SUPEE-5344 patch is highly recommended. This critical security patch is much needed to ensure your website will not be affected by bugs.

And what about SUPEE-5994 and SUPEE-6285 patches

This patches are also highly recommended to install. Both this security patches provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting.

Is that safe for my store?

Our new testing program is absolutely safe. The information you enter will not be saved. No database changes. Please notice, the source code which is checked out in our form, is not open-source.

Test results report that my store is vulnerable. What should I do now?

First you need to know is what magento version you website is powered by. In order to figure it out, please go to the backend and look the format at the bottom of the page. Please follow the steps mentioned below: Go https://www.magentocommerce.com/products/downloads/magento/ and in the Products navigation drop down select the Open source/CE value. You will be involved in help support for perfect running your online store. Now you have to find the Magento Community Edition Patches downloads scrolling down. You will see patches downloads section. Please select your current magento version.

Then you need to upload the patch into your Magento root directory. Please run the appropriate SSH command:

cd /MAGENTO/ROOT/FOLDER && sh PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh

I don’t have SSH access to my server. How can I install the SUPEE-5344 patch?

You have to make changes manually. Find the file app/code/core/Mage/Admin/Model/Observer.php. The code

if (!$request->getParam('forwarded')) {

should be replaced with

if (!$request->getInternallyForwarded()) {
$request->setInternallyForwarded();

Then find the file app/code/core/Mage/Core/Controller/Request/Http.php. and paste the following code

/**
* Flag for recognizing if request internally forwarded
*
* @var bool
*/
protected $_internallyForwarded = false;

/**
* Define that request was forwarded internally
*
* @param boolean $flag
* @return Mage_Core_Controller_Request_Http
*/
public function setInternallyForwarded($flag = true)
{
$this->_internallyForwarded = (bool)$flag;
return $this;
}

/**
* Checks if request was forwarded internally
*
* @return bool
*/
public function getInternallyForwarded()
{
return $this->_internallyForwarded;
}

In the app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php file you have to replace the code

$this->getRequest()->setParam('forwarded', true);

with:

Mage::app()->getRequest()->setInternallyForwarded();

In the app/code/core/Mage/XmlConnect/Model/Observer.php file the code

$request->setParam('forwarded', true)->setDispatched(true);

should be replaced with:

$request->setInternallyForwarded()->setDispatched(true);

Then find

$request->setParam('forwarded', true)->setRouteName('adminhtml')->setControllerName('connect_user')

and replace it with:

$request->setInternallyForwarded()->setRouteName('adminhtml')->setControllerName('connect_user')

In the last lib/Varien/Db/Adapter/Pdo/Mysql.php file you have only to delete the following code:

if (isset($condition['field_expr'])) {
$fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['field_expr']);
unset($condition['field_expr']);
}

We advise to clear your browser cache and refresh your web-pages. In order to avoid errors while applying the patch, you have to test the patch in a test environment before the website goes live. For better understanding the issue you can follow patch installation instructions https://info.magento.com/rs/magentocommerce/images/Installing-a-Patch-for-Magento-Community-Edition.pdf.

Where can I read more about that problem?

Below is the list of articles, which can do a good turn for you.

• http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
• http://thehackernews.com/2015/04/Magento-security.html
• http://www.pcworld.com/article/2914512/hackers-exploit-magento-ecommerce-vulnerability.html

I found that my store is vulnerable. Can you apply the patch for us?

We wish we could help you, but we don't provide that service. Please ask your hosting provider. It will be quite easy.