Practicalities of Magento 1.9.2.2

Magento 1.9.2.2 has been released this Wednesday and it includes various security fixes. Because we like your shop to be secure at all times, the quick advice would be to update. However, there are a couple of practicalities you should be aware of. Let's what this release is about.

Fixes for SQL injection

The Magento 1.9.2.2 release is actually a bundle of fixes and some of the fixes deal with SQL injection. In short: These fixes should simply be implemented by either patching or upgrading to Magento 1.9.2.2.

Magento has already sent out a developer notice to all extension developers, mentioning which fixes should be made in extension code. None of our extensions required changes on this point. If you are using a third party extension that would require fixing treat this as you would always do: Setup a testing copy of your production site, patch that testing copy and see if everything works. If it does not work, contact the developer who created that extension for support. If no support is available, either hire your own support or remove the extension. This point should not stop you in any way from upgrading.

Worse, there are now already versions of a working exploit on the web, that allow hackers to attack Magento big time. Not implementing Magento 1.9.2.2 will get your shop hacked soon.

Changes in admin routing

In previous Magento versions, there were various ways to create a Magento module that included its own backend pages. To serve a page in the Magento Admin Panel, a Magento module needs to implement the MVC pattern which includes a controller that extends Magento backend behaviour. There are 2 ways of doing this: By adding a new router (the legacy method) and by extending the normal admin router (the preferred way).

Basically in Magento 1.9.2.2, the legacy mode has been deprecated for security reasons. The System Configuration even contains a new option Enable Admin routing compatibility mode under System > Configuration > Admin > Security which allows you to forcibly disable this legacy mode. Note however that this option is enabled by default, so that the legacy mode still works.

You can check for this legacy mode, by scanning your Magento source code (mainly in app/code/community and app/code/local) for the following code:

<use>admin</use>

If you find matches for this, you should contact the extension developer of that specific extension that contains this code, and ask for a fix. We have removed this legacy code from all our extensions on October 21st and released new versions accordingly. If you find this legacy code in one of your own copies of our extensions, you can simply upgrade the extension to get the fix.

If you find no matches for this code segment anymore, you can inrease security by disabling the setting Enable Admin routing compatibility mode.

Registration form

Another fix included in the Magento 1.9.2.2 release deals with a form token in the file customer/registration/form.phtml. If you are using a theme or extension that overrides this template, this template override will need to be adjusted to include the form key (a single line which can be found in the form.phtml file of the base/default theme).

Only our Google Recaptcha extension included this override and a new extension version is already available.

Template CMS variables

Last but not least, the workings of CMS variables is modified. CMS variables allow you to create dynamic content within CMS blocks and emails. Two of these variables (namely {{config}} and {{block}}) could potentially allow a hacker to obtain sensitive information, when combined with other hacks. To prevent this from being possible at all, Magento 1.9.2.2 now only allows specific configuration values and blocks to be included. If an extension wants to use other configuration values or blocks, they need to be whitelisted explicitely.

None of our extensions deal with this. However, when upgrading to Magento 1.9.2.2 you should be aware that the upgrade could break CMS blocks or emails. To know for sure, the filesystem and database would need to be scanned for the keywords {{config and {{block. If you have determined that certain config variables or blocks are required in your content, you can easily whitelist them via the backend page System > Permissions.

In an overview

Upgrading to Magento 1.9.2.2 is highly recommended because it will close various potential security holes. However, you should be aware that this might break extensions. We have already picked up on our own responsibility for our Yireo extensions: All Yireo extensions that required fixing have updates (you can check their CHANGELOG for details) as of October 21st. Thanks to Magento for allowing us to fix this before the Magento 1.9.2.2 came out.

Written by Jisse Reitsma op 2 November 2015

Looking for a training in-house?
Let's get to it!