Whenever Magento finds vulnerabilities with the system, it releases small pieces of code – also known as security patches to take care of them. It is always a good idea to install the security patches released by Magento as soon as you get to know about them. This is because the more you delay the installation of these patches the more you increase the chances of making your store vulnerable to security risks.
As soon as these patches are released and the problems are highlighted, the issues are discussed by developers on different communities and forums. Sometimes, it also proves to be a useful hint for the hackers who wouldn’t have known about it otherwise.
About SUPEE – 10266 and 10336
SUPEE-10266 patch, includes several security enhancements that help close cross-site request forgery (CSRF), unauthorized data leaks and admin user remote code execution vulnerabilities. It also provides solutions for issues with image reloading and payments by using a one-step checkout.
Take a look at some of the security enhancements made in 10266
- APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges
- APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
- APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
- APPSEC-1757: Directory traversal in template configuration
- APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
- APPSEC-1494: Admin Notification Stored XSS
- APPSEC-1793: Potential file uploads solely protected by .htaccess
- APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
- APPSEC-1729: XSS in admin order view using order status label in Magento
- APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
- APPSEC-1588: Order Item Custom Option Disclosure
- APPSEC-1599: Admin login does not handle autocomplete feature correctly
- APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions
SUPEE -10336 patch addresses the USPS method name changes. For versions 220.127.116.11 and older, this patch should be applied on top of all previous USPS patches.
How Do You Ensure Store Security?
Apart from installing all the patches released by Magento from time to time, you should also get a technical and security audit done for your store to check if you have not missed out any security patch in the past.
Magereport.com can be a good resource to check if your lacks any of the security patches. As soon as you find out the missing patches from the above website, you can download those patches and install them on your store.
Need Help With Installations?
In case you are confused or overwhelmed by the above details, we are always there to help. All you need to do is order the appropriate security patch installation service from our store and we will take care of the rest.