Glossary ยป SUPEE-9767
S

SUPEE-9767

SUPEE-9767 address several security issues, including Remote code execution through symlinks, Remote Code Execution in DataFlow, Remote Code Execution in the Admin panel, SQL injection in Visual Merchandiser and several XSS and CSRF issues.

First version of this patch was released on May 31, 2017 and there were several issues with version, including numeral problems with checkout process with enabled form key validation.
Second version of this patch was released on July 12, 2017 to address customer registration and other issues encountered by some merchants when using the original release or patch.

NOTE: Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.

Download SUPEE-9767 (v2) for Magento 1.x

SUPEE-9767v2 patches packaged as a shell script (to apply it from shell) are available for download from the table below. For patches suitable for direct upload via FTP please check this article instead.
Magento versionSUPEE-9767MD5 checksum
Magento CE 1.5.1.0SUPEE-9767 1.5.1.0006ed5cada8732ac93d25bb1f2ff98df
Magento CE 1.6.2.0SUPEE-9767 1.6.2.020b75b6f4a014f69e319b411d88f063d
Magento CE 1.7.0.2SUPEE-9767 1.7.0.279dc56daf28f40124558acf236738cee
Magento CE 1.8.0.0SUPEE-9767 1.8.0.04eab33064192550323f2a8c810b4c98e
Magento CE 1.8.1.0SUPEE-9767 1.8.1.0cf2391166a0d13ff0cb97e8ad4d42755
Magento CE 1.9.0.1SUPEE-9767 1.9.0.1b5ebec00ccd9ec723ac92da3d2647377
Magento CE 1.9.3.0SUPEE-9767 1.9.3.09d277f7aa22c7cd6e3fc40997ef8e89e
Magento CE 1.9.3.2SUPEE-9767 1.9.3.2af7a0720525ae825df2c933623095f73

Known issues

There are several known issues with SUPEE-8788 reported, please check this list for details.

Issues solved in SUPEE-9767v2

APPSEC-1281: Remote code execution through symlinks
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: Yes. Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.
Description: Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Wilko Nienhaus
APPSEC-1777: Remote Code Execution in DataFlow
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: Magento administrators with access to DataFlow functionality can use it to upload and execute arbitrary code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1686: Remote Code Execution in the Admin panel
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: Store administrators with access to CMS functionality can remotely execute code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7
Reporter: Fabain
APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)
Type: SQL Injection
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: The Visual Merchandiser contains an SQL injection vulnerability that can potentially allow a user with Admin privileges to directly edit the database.
Product(s) Affected: Magento EE prior to 1.14.3.3
Fixed In: EE 1.14.3.3, SUPEE-9767
Reporter: Oleksandr Semchyshyn
APPSEC-1634: XSS in data fields
Type: Cross-Site Scripting (XSS, reflected)
CVSSv3 Severity: 8.7 (High)
Known Attacks: None
Description: Some Admin tables do not filter data, which provides an inadvertent opening for reflected cross-site scripting attacks.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Lipsum
APPSEC-1759: XSS in Admin panel configuration
Type: Cross-Site Scripting (XSS, stored)
CVSSv3 Severity: 8.1 (High)
Known Attacks: None
Description: A Magento administrator with access to configuration settings can enter malicious code that can be executed on other Admin panel pages.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1549: CSRF after logout – form key not invalidated
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 8.0 (High)
Known Attacks: None
Description: Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1693: Bypassing ACLs in store configuration permissions
Type: Privilege Escalation
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: Administrators with limited permission to modify configuration settings can also edit PayPal or payment configuration settings despite lack of explicit permissions.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1677: Local File Disclosure for admin users with access to dataflow
Type: Information Leak (system)
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: An authenticated administrator can use DataFlow to exfiltrate system files.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1546: CSRF Vulnerability in Checkout feature
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1597: Potential for user name enumeration
Type: Insufficient Data Protection
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: When a user tries to log in using an invalid username or password, the Magento authentication mechanism responds with a message that indicates whether the username is valid. A malicious user can use this information to build a list of registered users.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1695: CSRF cache management
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 4.7 (Medium)
Known Attacks: None
Description: Vulnerabilities in session cache management may provide an opening for a cross-site request forgery attack. These types of attacks can include malicious clearing of session data.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1324: Customer passwords exposed in logs
Type: Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity: 4.4 (Medium)
Known Attacks: None
Description: In certain configurations, and depending on previous customer actions, a log-in action can generate an exception. Magento logs this exception, which may contain customer passwords, on the server.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 3.4 (Low)
Known Attacks: None
Description: The Magento EE private sale invite feature is not protected against cross-site request forgery attacks. This vulnerability potentially allows an attacker to invite himself to/register on a restricted access site.
Product(s) Affected: Magento EE prior to 1.14.3.3
Fixed In: EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1659: Vulnerabilities in JavaScript libraries
Type: Misc Vulnerabilities
CVSSv3 Severity: 0 (Low)
Known Attacks: None
Description: Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions. Note: this issue does not affect Magento CE version prior to 1.9.0.0 and Magento EE versions prior to 1.14.0.0.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin
Reporter: Internal
APPSEC-1622: Incorrect routing of requests
APPSEC-1622: Incorrect routing of requests
Type: Abuse of Functionality
CVSSv3 Severity: 0 (None)
Known Attacks: None
Description: Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin
Reporter: Internal

Related Posts

36 votes, 4.97 avg. rating (98% score)