Secure your Magento store with the Supee 8788 patch

Magento is (in our view deservedly) a popular e-commerce solution.  

Whether yours is a large business that needs an enterprise-level solution or a smaller business with ambition, it's pretty much the obvious choice. 

What may be less obvious, especially to newcomers, is the need to keep up to date with any new security patches like Supee 8788. Which is not always completely straightforward. 

Why Magento needs security patches... 

Magento - like Wordpress, Drupal, Joomla, and other programs used for content management - is 'open source'. Which means, in effect, that anyone and everyone has access to the code it uses. 

On the plus side, software developers can easily create plugins that add new features and new capabilities to the base program. On the minus side, cybercriminals (we don’t use the term hackers as that is disingenuous) can also see the code - and experiment with new ways of either breaking it or exploiting it. And sometimes, of course, those very useful plugins can create an unintentional gateway for malicious code. 

To counter that threat, our community, developers/programmers need to be vigilant (both proactive and reactive) by constantly on the lookout for vulnerabilities in the code. Whether or not they've been exploited at that point. And we'll then create or apply 'security patches' to deal with them. 

The snag is that by doing so they are announcing a possible weakness to the world at large. Including criminals. Which means anyone who doesn't install the patch could be vulnerable. 

...what might happen... 

The danger is well illustrated by an incident with another open-source content management system, Drupal. 

In October 2014 literally millions of websites using Drupal were put at risk by a vulnerability which had little or no obvious effect on their operation. The resulting chaos even made the national news. Website owners were advised to take action 'within seven hours' of the bug's discovery on 15 October 2016. Those who did not were told to assume their site had been compromised. And even for users who had installed the update, the advice was to check for any 'back doors' a criminal might have installed before that was done. 

The risk? 

Criminals could - in theory at least - steal all the data from the site (including, for example, data about customers) and then use it maliciously. And there might be no sign at all that the attack had taken place. 

For online retailers and their e-Commerce sites that was potentially catastrophic - for obvious reasons. And the lesson is clear. It's never a good idea to wait before installing a security patch. Because the longer you wait, the greater the chance that a criminal will take advantage of the delay. Even if you're running a relatively small business. Remember they are not seeking you out personally as a business but instead are targeting all those websites with your build configuration. 

No one is immune from these threats - but you can minimise the risk. 

...and why you need Supee 8788 

A recent Magento patch - codenamed Supee 8788 - is a case in point. It includes 17 AppSec (application security) updates - enough reason, in itself, to install it. But it also deals with a dozen other potential problems that could put your business at risk.  

These include issues with the Zend framework, a set of open-source applications often used in conjunction with Magento. Some payment methods could also make you vulnerable. 

To take just a few examples, without this update: 

• A malicious user could use a random command in the summary to gain access to your store 

• They could also use SQL injection to change or delete anything in your database. Including, for example, prices, products, order data, and client data 

• A lower-level user could gain access to settings normally only available to an administrator. 

• It is possible to log in using just an email address. So a hacker who knows that address can pose as an existing customer. They might even be able to use someone else's card details (if those details are stored in the site's database). 

• A criminal could use a cross-site request forgery, via a wishlist, to trick a user into (for example) transferring funds or changing their email address. They might even use this to gain control of the website. 

• Without the patch, some sessions do not close properly when a user logs out. 

On the plus side, the patch delivers well over a hundred useful upgrades to the Magento core code and its compatibility with PHP 5.6. 

If you're running either the Enterprise Edition 1.14.3 or the Community Edition 1.9.3 version of Magento, you need to install Supee 8788 - but there are a few things you need to look out for. 

Installing the Supee 8788 patch 

Before you start it's important to check that older patches have been properly installed - otherwise the new patch may cause problems. You can use Magereport to do this. 

It's advisable to test the patch first, in a development environment, before it goes live in your online store. You won't want any issues that may occur to affect the normal running of your website. 

It's easiest to install the patch using SSH access - if you have it. Before you start you'll need to disable the Magento Compiler at System > Configuration > Tools > Magento Compiler. You should also clear the compiled cache (if you are using the compiler). 

After installation, check to be sure that all your CMS, Shipping, Payment and landing pages are loading properly. 

And if you'd welcome some help with installation, why not give Inspire a call on 01738 700006 or drop us an email? We will be happy to advise you and give any help you need.