Magento Blog


Security Update for Magento Base URL Configuration Value

It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.

Installations with correct SSL configuration are NOT affected. 

To prevent any possibility for this problem affecting your installation or to make sure if your copy is not affected, please follow these instructions:

- Login into your Magento admin

- Navigate to: System-> Configurations and select the ‘Web’ tab.

- For every Website and Store view in the ‘Current Configuration Scope’ drop-down (assuming you do not have them set to ‘use default’ or ‘ use website)
Open both Unsecure and Secure sections.

Look for the value of ‘Base URL’. if this field does not contain {{base_url}}, you are not affected, and there is no need to do anything else. If you see {{base_url}} you need to replace this value with full base URL of your store (e.g. http://www.somedomain.com) which includes your full domain you wish to use with Magento.

You DO NOT need to change any other configuration values that contain {{unsecure_base_url}} and {{secure_base_url}}, such as Base Link URL, Base Skin URL, Base Media URL and Base JavaScript URL.

Vulnerable configuration:

image


Correct configuration:

image

If you had to update your configuration as described above, please go to System > Cache management and refresh all caches.

We are currently working on a patch that will validate that {{base_url}} is not used and will warn the admin user if it still exists. We are also updating the install process of Magento to solve this issue for new installations.

Page 1 of 1

RSS: All Blog Posts

Get New Posts by Email


Delivered by FeedBurner