Security Update for Magento Base URL Configuration Value

It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.

Installations with correct SSL configuration are NOT affected. 

To prevent any possibility for this problem affecting your installation or to make sure if your copy is not affected, please follow these instructions:

- Login into your Magento admin

- Navigate to: System-> Configurations and select the ‘Web’ tab.

- For every Website and Store view in the ‘Current Configuration Scope’ drop-down (assuming you do not have them set to ‘use default’ or ‘ use website)
Open both Unsecure and Secure sections.

Look for the value of ‘Base URL’. if this field does not contain {{base_url}}, you are not affected, and there is no need to do anything else. If you see {{base_url}} you need to replace this value with full base URL of your store (e.g. http://www.somedomain.com) which includes your full domain you wish to use with Magento.

You DO NOT need to change any other configuration values that contain {{unsecure_base_url}} and {{secure_base_url}}, such as Base Link URL, Base Skin URL, Base Media URL and Base JavaScript URL.

Vulnerable configuration:

image


Correct configuration:

image

If you had to update your configuration as described above, please go to System > Cache management and refresh all caches.

We are currently working on a patch that will validate that {{base_url}} is not used and will warn the admin user if it still exists. We are also updating the install process of Magento to solve this issue for new installations.

RSS comments feed for this entry

User Comments

|16 comments
  1. ecommerce-store

    1ecommerce-store from Roma|posted May 21 2008

    I’m a little OT but no one know when the next important verion will be release???

  2. roco

    2roco |posted May 21 2008

    I changed it and now my entire admin and website have no style applied..................and I can not navigate back to config > Web and save it to a different value.  The save config button does not work anymore. Could someone tell me where to toggle this in the code or database?

  3. roco

    3roco |posted May 21 2008

    Nevermind........I found it in another post.  For anyone else that trys this......here is the backup plan:

    table core_config_data > and update records

  4. Josue4ever

    4Josue4ever from Mexico DF|posted May 21 2008

    I made this. And all seems broken.  the back and the front. the button doesnt works anymore.  The store complytely is down

  5. UltraFlux

    5UltraFlux |posted May 21 2008

    Everyone Magento is a very young development.  Its not for the faint of heart and takes a fair bit to understand.  Magento just graduated to Stable 1.0 at the end of March, 2008 and still has a lot of ground to cover.  It looks cool sure however you might want to consider waiting till things under the hood catch up with the flashy design.

  6. harry12bar

    6harry12bar |posted May 26 2008

    Hi, I upgraded to 1.0.19870.1. Now my emails dont work in any level… I checked localization (US) .  Can anyone let me know wethare Base url change upgrade can effect (RUIN) shop email system.. been working so hard to be cripled by url upgrade is slightly annoying.
    Thx

  7. Mich81.com

    7Mich81.com |posted May 30 2008

    I made a mistake inserting the URL.
    Now everythink is down and also admin page is not working any more.
    How ca i change the base URL without using the admin page?
    Where I have to look at? DB or files?

    Please Help ME I’m lost.

  8. Mich81.com

    8Mich81.com |posted May 30 2008

  9. oldflatop

    9oldflatop |posted June 1 2008

    i’m sick of this!!!
    whenever I change something it just breaks.
    This is a very promising piece of software, but right now it’s just a nightmare.

  10. harry12bar

    10harry12bar |posted June 7 2008

    Magentos demo site is still on previous version 1970.... Maybe that should install latest patch and see whats going on.... Im trying to understand but after 6months im slowly losing my raag! No responses… Have they seen the problems?… Do I sit around and wait till new release and then find problems are still there?  Then go through the whole nightmare of submitting bugs and watch and hope for a response… The silence is deafening. This was supposed to be a security update and its screwed my email system… I would’ve thought being a security patch we’d get some kind of response to a few tears, busy or not.  (if I sound a bit sharp what would you sound like after 6months of utter patience). Just some kind of feed back or master list showing whart recognized as a problem and whats to be fixed in next release.! I have never in all my Oscommerce days come across anything soooo frustrating!

    Alex

  11. WisdOMbooks

    11WisdOMbooks from Kolkata (Calcutta) - INDIA|posted June 18 2008

    Is it correct to put
    http://localhost/magento/
    in place of
    {{base_url}}
    in local environments
    (xampp on Win, exactly)?

    If yes, should this be done for both,
    the Unsecure and the Secure sections?

    Sorry for the coding ignorance smile
    but I want to know exactly what-to-do…
    before doing it, so to avoid disasters :(

    Thank you for your precious time, as usual.

    A n g e l o

  12. YoavKutner

    12YoavKutner |posted June 20 2008

    @WisdOMbooks - you are correct. The only thing is that if you are working on a local environment I would not worry about this much any way. Just make sure that you take care of this in a production environment.

    Thanks

    yoav

  13. WisdOMbooks

    13WisdOMbooks from Kolkata (Calcutta) - INDIA|posted June 20 2008

    Thank you, dear Yoav, for your kind reply & advice.

    Thus, on a local machine server,
    it is not a *critical must* but… it’s OK !  smile

  14. nuspace media

    14nuspace media |posted July 31 2008

    Just a quick hint… if you installed Magento on the root you can switch everything to just have a slash (/) at the beginning instead of the full URL. I’m not sure why you would ever want the full URL. Absolute pathing is good. You don’t need to have an absolute URL.

  15. nb109

    15nb109 |posted September 2 2009

    ATTENTION: Magento caches the configuration, so be sure to do a rm -rf ./var/cache (from the Magento installation’s root directory, of course) to clear the cache. Magically, your installation will return.

    Not sure why the article tells you to go to the backend of the installation to the Cache Management area to clear cache when you won’t be able to access it after making this change. Delete it manually by SSHing into your server as I described and you’ll be fine.

  16. infinitum

    16infinitum |posted November 2 2009

    Thx nb109. Your advice saved the day.

    I’m using magento-1.4.0.0-alpha3 and kept on getting the msg that the Base URL was unsafe even after I changed it to the path http://localhost/magento-1.4.0.0-alpha3/ in the configuration.

    I was about to go mad until I cleared the cache as you said


RSS: This Entry| All Blog Posts (RSS)