Release Notes: Magento Community Edition: 1.9.2

Magento Open Source, 1.9.x

Release Notes

Magento Community Edition 1.9.2

We are pleased to bring to you Magento Community Edition, 1.9.2, which provides merchants with many enhancements that make it easier to build and maintain a high quality and secure site.

Important! Use Magento Community 1.9.2 or later for all new installations and upgrades to ensure that you get the latest fixes, features, and security updates.

Solutions for Developers

Magento Community Edition 1.9.2 includes the latest versions of the Zend 1 Framework and Redis integration, as well as refinements to full-page caching that enable more pages to be served from cache. In addition, this release includes many enhancements as part of our commitment to continually improve product quality and to integrate previous patches into the core code.

Security

Stop by our new Magento Security Center, and sign up for the Security Alert Registry to receive direct notification from our security team of any emerging issues and solutions.

SUPEE-6285 Patch Bundle

This bundle provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting.

Customer Information Leak via RSS and Privilege Escalation

Patch Details
Type:	Privilege Escalation / Insufficient Data Protection
CVSS Severity:	7.5 (high)
Known Attacks:	None
Description:	Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Erik Wohllebe

Request Forgery in Magento Connect Leads to Code Execution

Patch Details
Type:	Cross-site Request Forgery
CVSS Severity:	9.3 (Critical)
Known Attacks:	None
Description:	Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Nicolas Melendez

Cross-site Scripting in Wishlist

Patch Details
Type:	Cross-site Scripting
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Bastian Ike

Cross-site Scripting in Cart

Patch Details
Type:	Cross-site Scripting (XSS)
CVSS Severity:	6.1 (Medium)
Known Attacks:	None
Description:	The redirection link on an empty cart page uses non-validated user input, which makes it possible to use URL parameters to inject JavaScript code into the page. Cookies and other information can be sent to the attacker, who is impersonating a customer.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Hannes Karlsson

Store Path Disclosure

Patch Details
Type:	Information Leakage (Internal)
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Ryan Satterfield

Permissions on Log Files too Broad

Patch Details
Type:	Information Leakage (Internal)
CVSS Severity:	3.8 (Low)
Known Attacks:	None
Description:	Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Ryan Satterfield

Cross-site Scripting in Admin

Patch Details
Type:	Cross-site Scripting
CVSS Severity:	6.5 (Medium)
Known Attacks:	None
Description:	An attacker can inject JavaScript into the title of a Widget from the Magento Admin. The code can be later executed when another administrator opens the Widget page. The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Sasi Levi

Cross-site Scripting in Orders RSS

Patch Details
Type:	Cross-site Scripting
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Bastian Ike

SUPEE-5994 Patch Bundle

This bundle includes protection against the following security-related issues:

Admin Path Disclosure

Patch Details
Type:	Information Leakage (Internal)
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Peter O'Callaghan

Customer Address Leak through Checkout

Patch Details
Type:	Information Disclosure / Leakage (Confidential or Restricted)
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers. During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process. This attack can be fully automated, and a functional proof of concept exists.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Erik Wohllebe

Customer Information Leak through Recurring Profile

Patch Details
Type:	Information Disclosure / Leakage (Confidential or Restricted)
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers. The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker. This attack can be fully automated, and a manual proof of concept exists.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Manuel Iglesias

Local File Path Disclosure Using Media Cache

Patch Details
Type:	Information Leakage (Internal)
CVSS Severity:	5.3 (Medium)
Known Attacks:	None
Description:	Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Omar M

Cross-site Scripting (XSS) Using Magento Downloader

Patch Details
Type:	Cross-site Scripting (XSS)
CVSS Severity:	8.2 (High)
Known Attacks:	None
Description:	This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Robert Foggia / Trustwave

Spreadsheet Formula Injection

Patch Details
Type:	Formula Injection
CVSS Severity:	6.1 (Medium)
Known Attacks:	None
Description:	Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	iSec Partners (external audit)

Cross-site Scripting Using Authorize.Net Direct Post Module

Patch Details
Type:	Cross-Site Scripting (XSS)
CVSS Severity:	6.1 (Medium)
Known Attacks:	None
Description:	Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	Matthew Barry

Malicious Package Can Overwrite System Files

Patch Details
Type:	Abuse of Functionality
CVSS Severity:	3.1 (Low)
Known Attacks:	None
Description:	Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.
Product(s) Affected:	Magento CE prior to 1.9.2.0, and all versions of EE.
Fixed In:	CE 1.9.2.0
Reporter:	iSec Partners (external audit)

SUPEE-5344 Patch

Magento Community Edition 1.9.2 provides protection against a specific remote code execution (RCE) vulnerability known as the “shoplift bug,” that allows hackers to obtain Admin access to a store.

Patch Details
Type:	Remote Code Execution
CVSS Severity:	9.1 (Critical)
Known Attacks:	Yes
Description:	Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.
Product(s) Affected:	Magento CE prior to 1.9.1.1, and Magento EE prior to 1.14.2.0.
Fixed In:	CE 1.9.1.1
Reporter:	Netanel Rubin

Additional Security Enhancements

Access Control List (ACL) nodes without value are now set to DENY access by default.
Admin passwords now expire at the specified time.
Cross-site request forgery (CSRF) protection issue that interfered with Varnish caching resolved.
Cross-site scripting (XSS) exploit that used CACHED_FRONT_FORM_KEY resolved.
Data deserialization potential exploits resolved.³
.htaccess added to the shell subdirectory.⁴
JavaScript injection potential exploit of the Wishlist resolved.
Log permissions more restrictive.
Pages served using the HTTPS protocol now POST using HTTPS.
PHP bug in libxml that could cause the site to crash resolved.
Recurring profiles reinforced against unprivileged access.
Remote code execution potential exploits resolved.⁵
REST configuration reinforced against unprivileged access.
SQL injection potential vulnerabilities related to Advanced Search resolved.
Widget title is escaped correctly.

Changes in This Release

Access Control List (ACL) resources have new resources enabled.
Cron jobs now execute at the time they were created, rather than the order in which they were created.
Google Universal Analytics now includes information about customer orders. The configuration has been streamlined, and includes two account types: Google Analytics and Universal Analytics.
Internet Protocol version 6 (IPv6) addressing is now supported.
Magento can now be updated from Magento Connect Manager.
Prices can be saved with a comma to separate thousands.
Products can be downloaded over HTTPS.
Redis integration has been updated to the latest version.⁶
XMLConnect module has been updated to ver. 24. The module should be delivered in the “disabled” state.
Zend framework has been updated to ver. 1.12.10.

Miscellaneous Fixes

API

OAuth log in page now includes the form_key field.
REST call to Mage_Sales_Model_Order no longer returns errors.
SOAP API correctly populates the min_sale_qty field.
When a partial invoice is created using SOAP V2, salesOrderInvoiceCreate no longer changes the value of $itemsQty in subsequent orders.
Additional fields in the SOAP API CategoryInfo method:
Include_in_menu
UseParentSettings
ApplyToProducts
SOAP WSDL URL (/api/v2_soap?wsdl) no longer appears the Admin, which is unreachable by SOAP.

Attributes

Duplicate attribute sets no longer appear if they are several pages long.
Product Visibility set to “Search” works correctly.

Checkout

Resolved JavaScript errors related to one-page checkout.
Regions appear in alphabetical order on the checkout page.

Compiler

Customers can register for an account and complete checkout while the compiler is running.

Cookies

The correct content appears in the storefront when the store cookie is set.

CMS

Widgets can be added to CMS pages.
Resolved issues uploading images from the WYSIWYG editor.
Thumbnails now appear in the WYSIWYG editor.
CMS pages that use the Generic Content layout appear normally.
The CMS Preview page uses the current theme.

Customers

The customer’s middle name or initial appears in both the Admin and storefront.
When customers log in to their accounts, the account page appears instead of the last page visited.
Saving a customer account from the Admin no longer returns an error.
If the customer locale does not require a postal code, the administrator does not have to enter one.
In the password reset notification, customer can reset their passwords for the correct store view.
The dates that customers and customer addresses were created are now correct.This fix does not apply to customers or addresses created in earlier versions. Only customers and addresses created with Magento Community ver. 1.9.2 show the correct dates.

Database

Deleting large numbers of products from the Admin no longer returns SQLSTATE errors.
Disabled products no longer appear in the flat catalog table.
Resolved an issue that caused the core_cache_tags database table to grow in size.

Import/Export

Dataflow now exports products in which images are not used as media attributes.
Importing and exporting postal codes with a wildcard (*) works correctly.
Custom options are preserved during import.
Product imports no longer change the Visibility setting.

Indexers

Reindexing flat catalog category data issue resolved.
The Updated at value for all indexers now shows the correct date and time.
Reindexing from the command line no longer returns errors in system.log.
Duplicate values for multi-select attributes no longer return errors when reindexed.

Magento Connect

You can now install extensions without errors using the Database Backup option.
Fixed potential issues with extensions.

Newsletters

Customers who use the same email address to subscribe to multiple newsletters now receive all newsletters to which they are subscribed.
When an order is placed, customers who use the same email address to register with two websites no longer receive notification that they have unsubscribed from a newsletter.

Order Processing

Address validation has been enhanced.
Printed invoices show the correct price for bundle products.
Issues with FedEx error code handling resolved. Choosing FedEx during checkout does not cause a fatal error.
Orders can be viewed from the Admin without triggering an error.
The percent (%) symbol can be used in order comments. Previously, the percent symbol interfered with the display of order comments.
The Fetch button works correctly for Authorize.Net Direct Post.

PHP

You can change the value of php_value memory_limit in .htaccess without encountering "out of memory" errors.

Price

You can change the price of a product using the website scope without errors.
Added validation to make sure the special price is not greater than the actual price.

Products

Alerts can be sent for configurable products.
Error when saving a product no longer causes errors for other products you try to save.
The Add New Review link works correctly with multiple stores.

Promotions

Resolved a performance issue related to catalog price rules with a large number of configured quotes.

Reports

The correct date appears in reports that are configured to run for a month or a year.
The Bestseller section of the Dashboard displays the correct prices.
The Sales Orders report displays the correct profit calculation result.

Server

Rollback now completes without error when running PHP 5.5.

Shopping Cart

A message appears when you add an item to your shopping cart.
Customers can move unconfigured items from the Wishlist to the shopping cart without encountering an error.
Customers can edit Custom Options in a shopping cart without issues.

Storefront

Recently Viewed items appear correctly in the storefront.

Swatches

Swatch images no longer change size when clicked in search results.

Themes

Fixed responsive theme display problem with ZIP/Postal Code field.

Translations

Implemented correct escape character for translations.
International characters can now be used in a Magento storefront domain.⁷
Resolved issues with inline translation links and the Chrome browser.
Corrected the spelling of the Austrian province Vorarlberg.
Corrected missing translation of a shipping method error message.
Chinese locales now appear in the Interface Locale list.

Acknowledgments

We’d like to thank the following members of the Magento Community for their contributions to this release:

¹ Performance enhancements, Thomas Birke

² Performance enhancements, Ivan Chepurnty

³ Resolution of data deserialization exploit, Matthew Berry

⁴ Added .htaccess to shell subdirectory, Phillip Jackson

⁵ Resolution of remote code execution exploits, Netanel Rubin

⁶ Updated Redis integration, Colin Mollenhour

⁷ International characters in storefront domain, Yihao Peng

Was this helpful?

A quick rating takes only 3 clicks. Add a comment to help us improve Magento even more.

Rate This Page

Updated: 12 Feb, 2018