Magento Patch 9652

There is the new Magento Patch 9652 available. I show you all you need to know about this patch and what risks you may have if you apply it to your system. This patch is an important security patch, but only for special circumstances.

Magento Patch 9652

Magento Patch 9652 protects your Magento Shop against a Zend library vulnerability. So it is more a Zend bug than a problem from your shop system. Because this is a Zend library problem, the patch has to be applied to Magento 1 and Magento 2. All shops above Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 are in danger.

How can you detect if that problem can occur and your shop is vulnerable? Go to System->Configuration->Advanced->System. Under “Mail Sending Settings” you will find an option called “Set Return-Path“:

By default this option is deactivated, so the vulnerability is not provided – you are save! If you use this for any reason, you should apply this patch immediately. It is also a good idea to install this patch if you are not in danger anyway.

Details

This patch is very small. It only patches some lines of code in file lib/Zend/Mail/Transport/Sendmail.php. It only adds an if statement witch throws an error in case of a possible attack. with message “Potential code injection in From header”. If you apply this patch an see this message in you exception.log, than you are lucky. You have protected your shop against an attack!

Possible Problems

Because of this tiny patch. there are no known problems. You are save to apply it to a production environment.

Conclusion

You are save if you install Patch 9652,  if you are obviously vulnerable or not. It seems that code injection with this security leak can destroy your shop or an attacker can steal data. Code injection is a bad thing, especially for online shops. Please install it!