How to Successfully Apply the Magento Patch SUPEE-6788

On October 27, 2015, Magento released the patch SUPEE-6788 that resolves several security-related issues, including remote code execution exploits and information leak vulnerabilities. The vulnerabilities were identified through Magento's comprehensive security program. Due to the severity of these vulnerabilties all Magento store owners are urged to patch their site as soon as possible. Magento also released new versions of Magento Community Edition and Magento Enterprise Edition which includes patch SUPEE-6788.

How do I know if my store is vulnerable?

All versions prior to Magento CE 1.9.2.2 and EE 1.14.2.2 are vulnerable. You can scan your Magento site for security issues on magereport.com.

How to apply the patch

  • Download SUPEE-6788 patch for the particular version of Magento you are using. Upload it to your store root directory (e.g. public_html).
  • Log in to your account using SSH (contact us for access) and navigate to the Magento installation directory:
    cd <path_to_magento>
  • Now apply the patch by typing the following command:
    sh patch-file-name.sh (replace with the exact name of the patch for your Magento version)
  • You should see the following message if the patch was applied successfully:
    Patch was applied/reverted successfully.

What if the patch could not be applied?

Some users have reported that they get an error message similar to the following when trying to apply the patch.

checking file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED

This error occurs if the main .htaccess file has been modified from the stock Magento .htaccess. The patch just crashes unexpectedly with no further explanation - not a very graceful way to handle such a common situation.

The solution is to simply revert the .htaccess (and .htaccess.sample) to the stock versions from the installation package for your Magento version. You should then be able to apply the patch. Make sure to backup your customized .htaccess file first so you can restore it after the patch has been applied.

The particular changes that SUPEE-6788 makes to the .htaccess is included below. It is recommended that you add this to your customized .htaccess once the patch has been applied.

<Files cron.php>

############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.

        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user

############################################

        Order allow,deny
        Deny from all
</Files>

Thousands of Magento Stores Infected by GuruIncSite Malware

Over the weekend, a large number of Magento sites have been hit by a massive javascript injection hack referred to as the GuruInc malware. Allegedly thousands of stores are already infected. The malware exploits a vulnerability in Magento or a 3rd party extension to inject a piece of javascript malware into the Magento database, which then infects any visitor to the site. Google has currently blacklisted more than 8,000 domains affected by the hack.

Online security company Sucuri Labs said the attack involves the injection of malicious scripts through iframes from the domain guruincsite.com. Both an obfuscated and non-obfuscated version of the infection has been reported.

The malicious code is usually added in the Footer - Miscellaneous Scripts section or in a CMS page of the Magento installation.

Sucuri is investigating the spread of Guruincsite and suspect "it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time." However, the actual attack vector is yet to be discovered.

Researchers from Malwarebytes say guruincsite shares several similarities with a campaign using the Neutrino Exploit Kit. The "neitrino" cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.

Is my store infected?

Check the page source of your Magento home page and look for code similar to the below snippets. You can also scan your site for free using the following tools:

https://www.magereport.com
https://sitecheck.sucuri.net

These tools will detect the GuruInc exploit as well as other malware and known vulnerabilities.

Mitigation

To remove the guruincsite malware from an infected Magento site, you should follow these steps:

  1. Navigate to System > Configuration > Design > Footer > Miscellaneous HTML and remove the malicious code there. The hack can be identified by the presence of the code function LCWEHH(XHFER1)[...]. If you prefer to edit the database directly, look for the design/footer/absolute_footer entry of the core_config_data table.



  2. Navigate to CMS > Pages > Home > Content and delete the malicious code in the <script> tag (selected on the screenshot):



  3. Delete any unknown admin users from System > Permissions > Users.
  4. Finally, make sure that you are running the latest version of Magento and that all security patches have been applied.

As a hacker may have gained access to your database credentials, we also recommend that you change the database user and password as well as the password of all Magento admin users.

When you have completed the above steps, please re-run a vulnerability check to confirm your site is clean.

Re-submission to Google

If Google has blacklisted your site, make sure to log into Google Webmaster Tools and from the Security tab confirm that the malware has been removed from the site. The warning should disappear after a couple of hours.