Although Adobe support for Magento 1 ended in June of 2020, Mage 1 continues to offer security patches and updates for merchants who haven’t moved to the Magento 2 platform yet. Recently, Mage 1 informed its partners and customers that 10 new patches were made available for Magento 1 stores.
In addition to the patches, Mage 1 also updated phpseclib, fixed some RCE vulnerabilities, and incorporated new features that would help prevent brute force attacks. Any retailers who still use the Magento 1 platform should strongly consider applying these patches sooner rather than later to ensure that their sites remain fast and secure.
Descriptions of New Patches
Mage 1 strives to create patches within 30 days of discovering a security threat or problem. This means that patches are often released unpredictably and only fix a very specific issue. It’s rare for as many as 10 patches to be released at one time, so merchants should take notice and be quick to apply these new patches.
Not sure what these updates are supposed to do? Below, you’ll find a brief summary of the problem each patch is designed to resolve:
- Patch MO-50: This patch will improve PHP5.6 compatibility for unserialization. However, before applying this fix, make sure you’re not using any version older than PHP7.3. There’s no support available for these older PHP versions.
- Patch MO-51: Patch MO-51 will update phpseclib to version 2.0.32 to fix CVE-2021-30130.
- Patch MO-52: This patch will fix a persistent XSS vulnerability in M1 sites.
- Patch MO-53: It’s not uncommon for Magento developers, agencies, or merchants to accidentally remove .htaccess files from regular core directories. This simple mistake can make a store more vulnerable to security threats, so this patch is meant to restore any missing .htaccess files from the core automatically.
- Patch MO-54: Patch MO-54 will improve PHP8 compatibility.
- Patch MO-55: This security patch will prevent DoS attacks using passwords larger than 4,000.
- Patch MO-56: A Magneto community member discovered that an admin with the permission to import or export data and edit CMS pages could inject an executable file on the server via layout xml.
- Patch MO-57: This patch allows users to run commands in the Custom Layout Update with the block method.
- Patch MO-58: Deleting a file in customer media will allow for remote code execution.
- Patch MO-59: This patch adds an extra layer of security against brute force attacks to customer login and admin panel login.
More Information
If you’re still using Magento 1, you can check out Mage 1’s FAQ page to find out more about the organization’s mission. Once you’re ready to upgrade to Magento 2, connect with one of our developers to get started on your customized website!
