Sales: Call 877.832.5289 (N America)Security Update for Magento Base URL Configuration Value
It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.
Installations with correct SSL configuration are NOT affected.
To prevent any possibility for this problem affecting your installation or to make sure if your copy is not affected, please follow these instructions:
- Login into your Magento admin
- Navigate to: System-> Configurations and select the ‘Web’ tab.
- For every Website and Store view in the ‘Current Configuration Scope’ drop-down (assuming you do not have them set to ‘use default’ or ‘ use website)
Open both Unsecure and Secure sections.
Look for the value of ‘Base URL’. if this field does not contain {{base_url}}, you are not affected, and there is no need to do anything else. If you see {{base_url}} you need to replace this value with full base URL of your store (e.g. http://www.somedomain.com) which includes your full domain you wish to use with Magento.
You DO NOT need to change any other configuration values that contain {{unsecure_base_url}} and {{secure_base_url}}, such as Base Link URL, Base Skin URL, Base Media URL and Base JavaScript URL.
Vulnerable configuration:
Correct configuration:
If you had to update your configuration as described above, please go to System > Cache management and refresh all caches.
We are currently working on a patch that will validate that {{base_url}} is not used and will warn the admin user if it still exists. We are also updating the install process of Magento to solve this issue for new installations.
1Right Click from Roma|posted May 21 2008
I’m a little OT but no one know when the next important verion will be release???
2roco |posted May 21 2008
I changed it and now my entire admin and website have no style applied..................and I can not navigate back to config > Web and save it to a different value. The save config button does not work anymore. Could someone tell me where to toggle this in the code or database?
3roco |posted May 21 2008
Nevermind........I found it in another post. For anyone else that trys this......here is the backup plan:
table core_config_data > and update records
4Josue4ever from Mexico DF|posted May 21 2008
I made this. And all seems broken. the back and the front. the button doesnt works anymore. The store complytely is down
5UltraFlux |posted May 21 2008
Everyone Magento is a very young development. Its not for the faint of heart and takes a fair bit to understand. Magento just graduated to Stable 1.0 at the end of March, 2008 and still has a lot of ground to cover. It looks cool sure however you might want to consider waiting till things under the hood catch up with the flashy design.
6harry12bar |posted May 26 2008
Hi, I upgraded to 1.0.19870.1. Now my emails dont work in any level… I checked localization (US) . Can anyone let me know wethare Base url change upgrade can effect (RUIN) shop email system.. been working so hard to be cripled by url upgrade is slightly annoying.
Thx
7Mich81.com |posted May 30 2008
I made a mistake inserting the URL.
Now everythink is down and also admin page is not working any more.
How ca i change the base URL without using the admin page?
Where I have to look at? DB or files?
Please Help ME I’m lost.
8Mich81.com |posted May 30 2008
I solve the problem by myself
http://www.magentocommerce.com/boards/viewthread/8812/
9oldflatop |posted June 1 2008
i’m sick of this!!!
whenever I change something it just breaks.
This is a very promising piece of software, but right now it’s just a nightmare.
10harry12bar |posted June 7 2008
Magentos demo site is still on previous version 1970.... Maybe that should install latest patch and see whats going on.... Im trying to understand but after 6months im slowly losing my raag! No responses… Have they seen the problems?… Do I sit around and wait till new release and then find problems are still there? Then go through the whole nightmare of submitting bugs and watch and hope for a response… The silence is deafening. This was supposed to be a security update and its screwed my email system… I would’ve thought being a security patch we’d get some kind of response to a few tears, busy or not. (if I sound a bit sharp what would you sound like after 6months of utter patience). Just some kind of feed back or master list showing whart recognized as a problem and whats to be fixed in next release.! I have never in all my Oscommerce days come across anything soooo frustrating!
Alex
11WisdOMbooks from Kolkata (Calcutta) - INDIA|posted June 18 2008
Is it correct to put
http://localhost/magento/
in place of
{{base_url}}
in local environments
(xampp on Win, exactly)?
If yes, should this be done for both,
the Unsecure and the Secure sections?
Sorry for the coding ignorance
but I want to know exactly what-to-do…
before doing it, so to avoid disasters :(
Thank you for your precious time, as usual.
A n g e l o
12YoavKutner |posted June 20 2008
@WisdOMbooks - you are correct. The only thing is that if you are working on a local environment I would not worry about this much any way. Just make sure that you take care of this in a production environment.
Thanks
yoav
13WisdOMbooks from Kolkata (Calcutta) - INDIA|posted June 20 2008
Thank you, dear Yoav, for your kind reply & advice.
Thus, on a local machine server,
it is not a *critical must* but… it’s OK !
14nuspace media |posted July 31 2008
Just a quick hint… if you installed Magento on the root you can switch everything to just have a slash (/) at the beginning instead of the full URL. I’m not sure why you would ever want the full URL. Absolute pathing is good. You don’t need to have an absolute URL.
15kelebek |posted 6 days ago
thanksss good ..
evden eve nakliyat
evden eve nakliyat
evden eve nakliyat