Security of customer data is always a high priority concern, especially for Magento eCommerce. As developers, we do our best to make sure that malicious users are not able to execute scripts in HTML forms, or be able to hijack forms in any other way. The Magento team and community do an excellent job of detecting these vulnerabilities and release patches to fix security threats, but it’s also up to developers to make sure that they are executing proper measures in their code base to comply with patches and evolving security standards.
Keeping up to date with Magento SUPEE security patches is a big responsibility. For example, the Magento SUPEE 6788 (https://magento.com/security/patches/supee-6788-technical-details) patch was released on October 27, 2015 to fix a number of security vulnerabilities. Often times the patch itself is only the beginning. Understanding what the patch was intended for is the beginning of the process for manually fixing parts of your code to ensure their security. After installing the SUPEE 6788 patch, we noticed that customers could no longer register a new account, which was very problematic from a business perspective. The patch did its job to secure our customers and broke parts of the code that were insecure, which is a good thing! It was up to us to fix those areas of code in order to comply with changing standards. If your developers are not taking these actions to patch their Magento sites, it will become increasingly difficult to patch in the future, since new patches may rely on previous patch versions. Hacker tools like Metasploit (http://www.metasploit.com/) will uncover these vulnerabilities and your site will be wide open for attacks.
As mentioned above, trimming and adding to code to make it compliant with these security patches is often the hard part, and may require some research. In the example of our registration forms no longer working, it was a simple fix; add form keys to forms so that each form is unique and cannot be hoaxed.
The patch will auto-magically fix and make all template file forms obtain a form key, but in our case we were overriding default Magento templates, which were not being updated by the patch. We fixed this by manually adding the following input elements to our form pages:
<input type=”hidden” name=”form_key” value=”<?php echo Mage::getSingleton(‘core/session’)->getFormKey() ?>” />
Furthermore, we noticed that all of our Magento Enterprise OnePage checkout forms were also not working. There was no error being thrown , it just didn’t do anything or add a customer to the database, the behavior was normal besides that, and allowed the customer to keep going with the checkout process. I had no idea how to fix the problematic code, or even detected that there was a problem with the input parameters. After some research and a bit of testing, it was determined that all the input elements needed a Magento helper function to escape the string data to prevent Cross-site Scripting Attacks. See the following code:
<input type=”password” name=”billing[customer_password]” id=”billing:customer_password” title=”<?php echo $this->__(‘Password’) ?>” class=”input-text required-entry validate-password” />
The SUPEE 6788 patch was preventing this code from working, as the title= parameter was echoing the user’s password and not escaping the string. Furthermore, the password input was not the only input element that needed to be changed. All input fields in the Magento Enterprise OnePage checkout registration form needed to be properly escaped to prevent this vulnerability by using Mage::helper(‘core’)->quoteEscape() function. In this case, I updated the above code to this:
<input type=”password” name=”billing[customer_password]” id=”billing:customer_password” title=”<?php echo Mage::helper(‘core’)->quoteEscape($this->__(‘Password’)) ?>” class=”input-text required-entry validate-password” />
Again, this was done for all input fields for the registration template code. Granted, this should have been an easy find for a security analyst. I have provisioned servers and taken stiff security measures into account, but often times it is hard to develop and keep security in mind at all times. But rest assured, if your team is installing Magento SUPEE patches as they are released, your site will be at least secure. It may also end up a little broken, which is far better than being vulnerable. Thankfully however, the amazing developers and security minded folks in the Magento community are working hard to uncover vulnerabilities and stop hacker activity. Just make sure to set aside time in your busy development cycle to work out patch updates and code compatibility as a high priority. You may not know it, but you’ll be thankful in the end.