Magento Community Edition 1.9.2.2 Release Notes

Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Release Notes

Magento Community Edition 1.9.2.2

We are pleased to bring to you Magento Community Edition, 1.9.2.2, which features a bundle of patches that improves the security of your Magento installation.

Important! Use Magento Community 1.9.2.2 or later for all new installations and upgrades to ensure that you have the latest fixes, features, and security updates.

Security Patches

To receive direct notification from our security team regarding any emerging issues and solutions, stop by the Magento Security Center and sign up for the Security Alert Registry. To learn more, see:

SUPEE-6788 Patch Bundle

This patch bundle protects your Magento installation against several potential threats, and includes a new configuration setting that helps manage the backward compatibility of the patch for extensions and customizations. The first patch in the bundle was included in the Magento Community 1.9.2.1 release. However, versions of Magento Community prior to 1.9.2.1 need this critical patch.

Important! This patch breaks backward compatibility, and can impact extensions and customizations.

Admin Routing Compatibility Mode

To help manage the compatibility of extensions and customizations, the following setting has been added to the Admin > Security configuration:

Field

Scope

Description

Admin routing compatibility mode for extensions

Global

Allows you to verify that all extensions and customizations are compatible before the patch is enabled.

Enable	(Default Setting) Partially enables an installed patch to allow extensions or customizations with older modules to continue working in an unsecured state while the code is updated. When all impacted extensions are updated, set Admin Routing to “Disable” to fully enable the security patch.
Disable	Fully enables an installed security patch. Any extensions with older modules will not work correctly.

We recommend that you install the patch first in the test environment, and try disabling the compatibility mode. If you discover issues, set Admin Routing Compatibility back to “Enabled." If your extensions and customizations work correctly, you can deploy the fully-enabled patch to production. If you discover issues accessing extensions or customizations from the Admin, set Admin Routing Compatibility Mode to “Disabled” before deploying the patch to production. Then, update the impacted customizations and extensions as needed.

We urge you to enable Admin Routing Compatibility Mode as soon as possible to protect your installation from automated attacks. To learn more, see the technical details in the Security Center.

Cross-site Scripting Using Unvalidated Headers

Patch Details
Type:	Cross-site Scripting / Stored Cache Poisoning
CVSSv3 Severity:	9.3 (Critical)
Known Attacks:	None
Description:	Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.
Product(s) Affected:	Magento CE prior to 1.9.2.1 Magento EE prior to 1.14.2.1
Fixed In:	CE 1.9.2.2 and EE 1.14.2.1
Reference ID:	APPSEC-1030
Reporter:	Internal (ECG)

Error Reporting in Setup Exposes Configuration

Patch Details
Type:	Information Leakage (Internal)
CVSSv3 Severity:	7.5 (High)
Known Attacks:	None
Description:	Error messages generated during the Magento installation, or during a failed extension installation, can expose the Magento configuration and database access credentials. In most cases, the database server is configured to prevent external connections. In other cases, the information can be exploited, or tied to another attack.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1102
Reporter:	Alberto Assmann

Filter Directives Can Allow Access to Protected Data

Patch Details
Type:	Information Leakage
CVSSv3 Severity:	7.5 (High)
Known Attacks:	None
Description:	Email template filter functionality can be used to call blocks and expose customer information such as last orders, or integration passwords. Although safe when used internally by Magento, it has been reported that this functionality might be used by some external extensions to process blog comments and other user input. Such use of the email template filter functionality can expose protected information on the storefront. To learn more, see the technical details in the Security Center. See also: Content Permissions.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1057
Reporter:	Peter O’Callaghan

XXE/XEE Attack on Zend XML Functionality Using Multibyte Payloads

Patch Details
Type:	XXE/XEE (XML Injection)
CVSSv3 Severity:	7.5 (High)
Known Attacks:	None
Description:	Magento can be forced to read XML via API calls that contain ENTITY references to local files, which makes it possible to read password or configuration files. Although Zend Framework filters out ENTITY references, they can be encoded as multibyte characters to avoid detection. To learn more about this Zend Framework issue, see: Zend Changelog 1.12.14.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1045
Reporter:	Dawid Golunski

Potential SQL Injection in Magento Core Model Base Classes

Patch Details
Type:	SQL Injection
CVSSv3 Severity:	7.4 (High)
Known Attacks:	None
Description:	The `addFieldtoFilter` method does not escape the field name. Although core Magento functionality is not affected, this issue might impact third-party extensions, such as those used for layered navigation. Such extensions might be exploited from the storefront to execute any SQL queries. To learn more, see the technical details in the Security Center.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1063
Reporter:	Jim O’Halloran (Aligent)

Potential Remote Code Execution Using Cron

Patch Details
Type:	Remote Code Execution
CVSSv3 Severity:	7.2 (High)
Known Attacks:	None
Description:	The `cron.php` script is available for anyone to call. Because the script can make command line functions calls, it becomes a potential target for the Shellshock vulnerability. (Your server should already be protected against Shellshock.) Additionally, because the command that is passed to shell is not escaped, a directory with the same name as a shell command can be used to execute code. Such an attack requires access to create directories with arbitrary names, such as hosting panel. Although the severity is ranked as high, the attack is not exploitable by itself.
Product(s) Affected:	Magento CE from 1.8.0.0 to 1.9.2.1 Magento EE from 1.13.0.0 to 1.14.2.1
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1037
Reporter:	Dawid Golunski

Remote Code Execution / Information Leak Using File Custom Option

Patch Details
Type:	Remote Code Execution / Information Leakage
CVSSv3 Severity:	6.5 (Medium)
Known Attacks:	None
Description:	Custom option values are not cleared when the custom option type is switched. This makes it possible to inject malicious serialized code into a custom option of the “text” type, and execute it by switching the custom option type to “file.” This remote code execution attack requires the store to use custom options, and have an administration account with access to catalog/products. Additionally, the manipulation of custom options from the storefront makes it possible to read system files. To learn more, see the technical details in the Security Center.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1079
Reporter:	Peter O'Callaghan

Cross-site Scripting with Error Messages

Patch Details
Type:	Cross-site Scripting (CSS) - Reflected
CVSSv3 Severity:	6.1 (Medium)
Known Attacks:	None
Description:	Error messages on storefront pages are not escaped correctly, which makes the site vulnerable to cross-site scripting.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1039
Reporter:	Ultra Security

Potential Remote Code Execution Using Error Reports and Downloadable Products

Patch Details
Type:	Remote Code Execution (RCE)
CVSSv3 Severity:	6.1 (Medium)
Known Attacks:	None
Description:	It is possible to put unvalidated information, including code, into error report files. When combined with Admin access to the catalog, an attacker can create a fake downloadable product that executes PHP code that was previously uploaded to the server. To fully execute the attack, the attacker must have valid credentials for an Admin account that has full permission to access product resources.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1032
Reporter:	Hannes Karlsson

Admin Path Disclosure

Patch Details
Type:	Information Leakage (Internal)
CVSSv3 Severity:	5.3 (Medium)
Known Attacks:	None
Description:	Although this patch is disabled by default, it helps protect against automated attacks. By calling a module directly, an attacker can force the Admin Login page to load in the browser. The Admin URL appears in the address bar, which makes it easier to launch a password attack. To learn more, see the technical details in the Security Center. To help manage the compatibility of extensions and customizations, the Admin Routing Compatibility Mode setting has been added to the Admin > Security configuration. Follow the procedure outlined at the beginning of the release notes to verify that your extensions and customizations work correctly. If issues are discovered, you can install the patch with Admin Routing Compatibility disabled to give you the opportunity to update any impacted extensions or customizations. We urge you to enable Admin Routing Compatibility Mode as soon as possible to protect your installation from automated attacks. To learn more, see the technical details in the Security Center.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1034
Reporter:	Nils Preuss

Insufficient Protection of Password Reset Process

Patch Details
Type:	Account Takeover
CVSSv3 Severity:	3.8 (Low)
Known Attacks:	None
Description:	The token that is used to reset a password is passed with a `GET` request, and is not canceled after use. As a result, the token can be leaked through the referrer field to all external services that are called on the page, such as image servers, analytics, and ads. The token might then be reused to steal the customer’s password.
Product(s) Affected:	Magento CE prior to 1.9.2.2 Magento EE prior to 1.14.2.2
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1027
Reporter:	Vishnu dfx

Dev Folder Not Protected

Patch Details
Type:	Information Leakage (Internal)
CVSSv3 Severity:	0 (None)
Known Attacks:	None
Description:	The Magento dev folder, including functional tests, lacked a proper `.htaccess` file to prevent browser access. As a best practice, all files and directories that are not intended for public view should be protected.
Product(s) Affected:	Magento CE from 1.9.2.0 to 1.9.2.1 Magento EE from 1.14.2.0 to 1.14.2.1
Fixed In:	CE 1.9.2.2 and EE 1.14.2.2
Reference ID:	APPSEC-1124
Reporter:	Internal