Magento Blog

Security Update for Magento Base URL Configuration Value

2008-05-21T02:13:00-08:00

It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.

Installations with correct SSL configuration are NOT affected.

To prevent any possibility for this problem affecting your installation or to make sure if your copy is not affected, please follow these instructions:

- Login into your Magento admin

- Navigate to: System-> Configurations and select the ‘Web’ tab.

- For every Website and Store view in the ‘Current Configuration Scope’ drop-down (assuming you do not have them set to ‘use default’ or ‘ use website)
Open both Unsecure and Secure sections.

Look for the value of ‘Base URL’. if this field does not contain {{base_url}}, you are not affected, and there is no need to do anything else. If you see {{base_url}} you need to replace this value with full base URL of your store (e.g. http://www.somedomain.com) which includes your full domain you wish to use with Magento.

You DO NOT need to change any other configuration values that contain {{unsecure_base_url}} and {{secure_base_url}}, such as Base Link URL, Base Skin URL, Base Media URL and Base JavaScript URL.

Vulnerable configuration:

Correct configuration:

If you had to update your configuration as described above, please go to System > Cache management and refresh all caches.

We are currently working on a patch that will validate that {{base_url}} is not used and will warn the admin user if it still exists. We are also updating the install process of Magento to solve this issue for new installations.

Comment by nuspace media

2008-10-05 T;23:09:00-08:00

Just a quick hint… if you installed Magento on the root you can switch everything to just have a slash (/) at the beginning instead of the full URL. I’m not sure why you would ever want the full URL. Absolute pathing is good. You don’t need to have an absolute URL.

Comment by WisdOMbooks

2008-10-05 T;23:09:00-08:00

Thank you, dear Yoav, for your kind reply & advice.

Thus, on a local machine server,
it is not a *critical must* but… it’s OK !

Comment by YoavKutner

2008-10-05 T;23:09:00-08:00

@WisdOMbooks - you are correct. The only thing is that if you are working on a local environment I would not worry about this much any way. Just make sure that you take care of this in a production environment.

Thanks

yoav

Comment by WisdOMbooks

2008-10-05 T;23:09:00-08:00

Is it correct to put
http://localhost/magento/
in place of
{{base_url}}
in local environments
(xampp on Win, exactly)?

If yes, should this be done for both,
the Unsecure and the Secure sections?

Sorry for the coding ignorance
but I want to know exactly what-to-do…
before doing it, so to avoid disasters :(

Thank you for your precious time, as usual.

A n g e l o

Comment by harry12bar

2008-10-05 T;23:09:00-08:00

Magentos demo site is still on previous version 1970.... Maybe that should install latest patch and see whats going on.... Im trying to understand but after 6months im slowly losing my raag! No responses… Have they seen the problems?… Do I sit around and wait till new release and then find problems are still there? Then go through the whole nightmare of submitting bugs and watch and hope for a response… The silence is deafening. This was supposed to be a security update and its screwed my email system… I would’ve thought being a security patch we’d get some kind of response to a few tears, busy or not. (if I sound a bit sharp what would you sound like after 6months of utter patience). Just some kind of feed back or master list showing whart recognized as a problem and whats to be fixed in next release.! I have never in all my Oscommerce days come across anything soooo frustrating!

Alex

Comment by oldflatop

2008-10-05 T;23:09:00-08:00

i’m sick of this!!!
whenever I change something it just breaks.
This is a very promising piece of software, but right now it’s just a nightmare.

Comment by Mich81.com

2008-10-05 T;23:09:00-08:00

I solve the problem by myself
http://www.magentocommerce.com/boards/viewthread/8812/

Comment by Mich81.com

2008-10-05 T;23:09:00-08:00

I made a mistake inserting the URL.
Now everythink is down and also admin page is not working any more.
How ca i change the base URL without using the admin page?
Where I have to look at? DB or files?

Please Help ME I’m lost.

Comment by harry12bar

2008-10-05 T;23:09:00-08:00

Hi, I upgraded to 1.0.19870.1. Now my emails dont work in any level… I checked localization (US) . Can anyone let me know wethare Base url change upgrade can effect (RUIN) shop email system.. been working so hard to be cripled by url upgrade is slightly annoying.
Thx

Comment by UltraFlux

2008-10-05 T;23:09:00-08:00

Everyone Magento is a very young development. Its not for the faint of heart and takes a fair bit to understand. Magento just graduated to Stable 1.0 at the end of March, 2008 and still has a lot of ground to cover. It looks cool sure however you might want to consider waiting till things under the hood catch up with the flashy design.

Comment by Josue4ever

2008-10-05 T;23:09:00-08:00

I made this. And all seems broken. the back and the front. the button doesnt works anymore. The store complytely is down

Comment by roco

2008-10-05 T;23:09:00-08:00

Nevermind........I found it in another post. For anyone else that trys this......here is the backup plan:

table core_config_data > and update records

Comment by roco

2008-10-05 T;23:09:00-08:00

I changed it and now my entire admin and website have no style applied..................and I can not navigate back to config > Web and save it to a different value. The save config button does not work anymore. Could someone tell me where to toggle this in the code or database?

Comment by Right Click

2008-10-05 T;23:09:00-08:00

I’m a little OT but no one know when the next important verion will be release???