If you currently manage any Magento sites, the past day or two might of been a bit hectic. On 10/27, Magento released SUPEE-6788, which was a very significant security patch that fixed several interesting vulnerabilities. Among these were XSS vulnerabilities, SQL Injection, and object insertion via PHP’s unserialize function.
For developers and server admins, this is a pretty narly update because some of the changes end up breaking many popular Magento plugins(currently around 830 have been marked as incompatible in this live google docs sheet.) Most of the issues are the result of the plugin using an older method of creating the admin backend routes.
Fortunately, SUPEE-6788 does not enable the changes to admin routing that would break plugins by default. This has to be disabled manually via the backend ‘Admin routing compatibility mode for extensions’ setting, but you should make an effort to update your site/plugin asap, as now that this update is out in the wild, it will quickly end up in Metasploit and similar frameworks.
For web-admins, there is a useful tool for scanning for, identifying, and fixing some issues available on github here.
Along with some associates, I have checked a number of Magento sites ranging from 1.7, 1.8, and 1.9 and have yet to find one that didn’t at least have one incompatible plugin. Some very big plugins are in the list as well!
Scandi MenuManager is a fairly decent plugin for creating menus in Magento, which is something that is unfortunately a pain otherwise…why there hasn’t been a Magento core navigation module similar to WordPress Menus yet is frustrating, but I digress.
I use a modified version of MenuManager on one of my Magento sites, which I customized to add support for menu images and a few other neat features that the initial plugin was missing.
Unfortunately the plugin itself is quite old and hasn’t been updated since 2013(a testament to Magento compatibility,) so needed to be updated. Given how long it has been since this plugin has seen an update, I don’t think a timely update from the developer will be forthcoming, so the below describes patching MenuManager to use the newer adminhtml rotuer.
Before you do anything backup your Magento Database and Files.
Patching Scandi MenuManager can be done a few ways. If you use the supee-6788-toolbox found above, you will still need to edit the link that gets created in the admin menu otherwise it will not work. The below is a different way of editing it to make it compatible with the new router requirements.
You will be editing the following files:
The below sections containa before and after section, which show what you will be changing.
Before you do anything, make a backup!
This is the main update, which changes from using the old incompatible <<use>admin<</use> method of creating a route to the newer method.
Before:
<admin> <routers> <scandi_menumanager_admin> <use>admin</use> <args> <module>Scandi_MenuManager</module> <frontName>menumanager</frontName> </args> </scandi_menumanager_admin> </routers> </admin>
After:
<admin> <routers> <adminhtml> <args> <modules> <scandi_menumanager before="Mage_Adminhtml">Scandi_MenuManager_Adminhtml</scandi_menumanager> </modules> </args> </adminhtml> </routers> </admin>
Adminhtml.xml controls the menu location, adding a menu item called ‘Menu’ to the CMS menu in the backend. Since the router has been updated, the
Before:
<menu> <cms> <children> <scandi_menumanager translate="title" module="scandi_menumanager"> <title>Menus</title> <action>menumanager/adminhtml_index/index</action> <sort_order>25</sort_order> </scandi_menumanager> </children> </cms> </menu>
After:
<menu> <cms> <children> <index module="scandi_menumanager" translate="title"> <title>Menu</title> <sort_order>25</sort_order> <action>adminhtml/menumanager</action> </index> </children> </cms> </menu>
This one is a bit tricky, as we can no longer use the filename ‘IndexController.php’, so we are going to do two things:
After renaming IndexController.php -> MenumanagerController.php:
Before:
class Scandi_MenuManager_Adminhtml_IndexController extends Mage_Adminhtml_Controller_Action
After:
class Scandi_MenuManager_Adminhtml_MenuManagerController extends Mage_Adminhtml_Controller_Action
Now that we have updated the controller and routes, we need to update the adminhtml layouts, so they show the correct blocks.
Since there are several changes below, I have included the complete file in before/after, however you are only changing the XML section names.
Before:
<layout> <scandi_menumanager_admin_adminhtml_index_index> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu" name="menumanager_menu_grid" /> </reference> </scandi_menumanager_admin_adminhtml_index_index> <scandi_menumanager_admin_adminhtml_index_edit> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu_edit" name="menumanager_menu_edit" /> </reference> <reference name="left"> <block type="scandi_menumanager/adminhtml_menu_edit_tabs" name="menumanager_menu_edit_tabs"> <block type="scandi_menumanager/adminhtml_menu_edit_tab_main" name="menumanager_menu_edit_tab_main" /> <action method="addTab"><name>main_section</name><block>menumanager_menu_edit_tab_main</block></action> </block> </reference> </scandi_menumanager_admin_adminhtml_index_edit> <scandi_menumanager_admin_adminhtml_index_edit_item> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu_item_edit" name="menumanager_menu_item_edit" /> </reference> </scandi_menumanager_admin_adminhtml_index_edit_item> </layout>
After:
<layout> <adminhtml_menumanager_index> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu" name="menumanager_menu_grid" /> </reference> </adminhtml_menumanager_index> <adminhtml_menumanager_edit> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu_edit" name="menumanager_menu_edit" /> </reference> <reference name="left"> <block type="scandi_menumanager/adminhtml_menu_edit_tabs" name="menumanager_menu_edit_tabs"> <block type="scandi_menumanager/adminhtml_menu_edit_tab_main" name="menumanager_menu_edit_tab_main" /> <action method="addTab"><name>main_section</name><block>menumanager_menu_edit_tab_main</block></action> </block> </reference> </adminhtml_menumanager_edit> <adminhtml_menumanager_edit_item> <reference name="content"> <block type="scandi_menumanager/adminhtml_menu_item_edit" name="menumanager_menu_item_edit" /> </reference> </adminhtml_menumanager_edit_item> </layout>
After making the above changes, clear your Mangeto cache and the ‘Menu’ Link under Admin -> CMS -> Menu should get changed to: /index.php/admin/menumanager/index/key/[…]
This should allow you to disable the Admin routing compatibility mode for extensions setting under System -> Configuration -> Admin -> Security -> Admin routing compatibility mode setting for extensions.
When this setting is enabled, which is the default, old admin router methods will still work, but several security issues caused by using the old admin router method are not blocked. So this should be disabled to improve security.
Please note that if you have other incompatible plugins, they will still need to be fixed before you change the above setting!
If you need help with this Magento Plugin or updating a different one, please don’t hesitate to contact me or leave a comment. I offer install, maintenance, and support services for Magento, along with custom module development and templating.
Comments:
Excellent!!!! Saved my day!
Add a Comment