Magento Patch 8788
With the recent Magento Patch 8788 a long wanted change was done. The Flash uploader for product images was completely replaced. Beside this new changed feature, a lot of critical and high priority security updates are done. Here is what you need to know.
Magento Patch 8788
The most obvious change with new Magento Patch 8788 is the new image upload for Magento backend. The upload was previously done by a Flash uploader, a *.swf file which was a really bad idea. Modern browsers block Flash by default because of various security reasons. For Magento users this was often confusing, because image upload buttons were missing. Often support was contacted by angry shop backend users. For this patch Mage_Downloadable module was refactored to replace fully the old Flash uploader. Here is a picture of it:
The new uploader comes with a new setting where you can set the maximum dimension for uploaded images.
Security issues
More than a half year since last security patch, there are many critical and high important issues solved. Here is a small list of these changes:
- remote code execution in checkout is not possible anymore
- a bad SQL injection leak in Zend Framework was patched
- store configuration can now not by exploited by block cache
- it was possible to login as another user by only knowing his email address – fixed
- remote code execution in admin backend was also prohibited
- a manipulation of sites by Full Page Cache poisoning is also not possible anymore
- GIF flooding by manipulated images to cause a script timeout for a denial of service attack is no more possible
- Cross-site scripting in Flash file uploader is not possible – it was removed
The full list can also be viewed on Magento official patch site. It is interesting, that all fixes are marked with: Known Attacks: None – so they are all only theoretically dangerous. Problem is, that with this list published attackers my try to check if you shop is already patched.
Conclusion
The new security Patch 8788 is another important security patch for Magento. It also disables Flash uploader which is very important, because current browser do not support them by default and missing buttons causing confusion for your shop admins.
