Installing Magento Security Patch-SUPEE-10415

Secure your online store with Magento 2. Migrate to Magento 2 now.

Magento has released a new security patch named SUPEE-10415 addressing various issues in Magento 1.x platform. We highly recommend merchants using Magento 1.x platform to install this as soon as possible to avail the benefits of the fixes.

Security Patches

SUPEE-10415, Magento Commerce 1.14.3.7, and Open Source 1.9.3.7 contain various security enhancements that help to fix vulnerabilities such as the following:

• Cross-site request forgery (CSRF)
• Denial-of-Service (DoS)
• Authenticated Admin user remote code execution (RCE)

These releases also include a fix for prior customers who had issues patching caused by SOAP v1 interactions in WSDL.

Information on all the changes in Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 releases are available in the Magento Commerce and Magento Open Source release notes. For more information click here.

Patches and upgrades are available for the following Magento versions:

• Magento Commerce 1.9.0.0 – 1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.
• Magento Open Source 1.5.0.0 – 1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.

Before installation

Before installing the patch, check if the old patches have been installed correctly. Some patches might require other patches to be installed already. You can use magereport.com to check the patches installed on your site.

Preparations

• Disable Magento Compiler and clear the compiler cache.
• Disable Symlinks setting. In the Magento backend, navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already.
• Be sure to test the patch in a development environment first, as it can affect extensions and customizations.

[POSTCTA]

SUPEE-10415 Patch

Installation Steps

Please upload the patch into your Magento root directory and run the appropriate SSH command:

For patch files with the file extension .sh:

sh patch_file_name.sh

Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh

For patch files with the file extension .patch:

patch –p0 < patch_file_name.patch

Example: patch –p0 < PATCH_SUPEE-1868_CE_1.7.0.2_v1.patch

Upon completion, refresh the cache in the Admin under “System > Cache Management” for the changes to get reflected. We highly recommend you to test all patches in a test environment before taking them live.

For further instructions, see: Installing a Patch for Community Edition

Main fixes

• Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when an user loads the Admin.
• The one-page checkout page now displays the “No payment information required” message when a customer checks out an order for which no amount is due. Magento versions prior to 1.14.3.3 included this message, but it was missing from v1.14.3.3.
• The typo in the patch header information has been fixed. (autocomplete=”new-pawwsord” is now autocomplete=”new-password”.)

• Magento no longer supports custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv. For more information, navigate to Developers > Log Settings from the Admin. Magento displays this comment: “Logging from Mage::log()”. File is located in /var/log.

• Passwords for new users are now limited to 256 characters. If a new user enters a password that exceeds 256 characters, Magento displays this message: “Please enter a password with at most 256 characters”.

References