According to various reports in recent days, there is a vulnerability (Example rackspeed) in all versions of Magento 1.4 bus 1.7.
Namely, the file is images.php in the folder app / code / core / Mage / Cms / Helper / Wysiwyg vulnerable.
There are several ways to patch the file. Via SSH or via FTP. We want the opportunity to devote the file via FTP to patch.
- First, the file is images.php from the o.g. Open directory.
- Dann die Stelle public function getCurrentPath() search
- The area
if (!$this->_currentPath) { $currentPath = $this->getStorageRoot(); $path = $this->_getRequest()->getParam($this->getTreeNodeName()); if ($path) { $path = $this->convertIdToPath($path); if (is_dir($path)) { $currentPath = $path; } }
replace it with this
if (!$this->_currentPath) { $currentPath = realpath($this->getStorageRoot()); $node = $this->_getRequest()->getParam($this->getTreeNodeName()); if ($node) { $path = realpath($this->convertIdToPath($node)); if (is_dir($path) && false !== stripos($path, $currentPath)) { $currentPath = $path; } }
- Upload and delete caches.
- Now, the gap should be closed
- Incidentally, the file is different in the Magento versions 1.4-1.7 as far as we could see, just by moving copyright date. It is thus one and the same images.php be used for all Magento versions.
Of course, we do not assume any liability for the accuracy of the information. This repeat and simplify, only the information from other sources. The changes should first be used in any case in test environments.
Used in Magento versions 1.4.1.1 bus 1.7.0.2.. Ask, Comments, Suggestions? Gladly!