Security Update 01/2017

Table of contents

Improved protection

Further information on the security update

Following the security update that was published on 23rd January, we are now providing you with an updated version that offers improved protection using only a few minor adjustments in Shopware. Under certain circumstances it is still possible to compromise Shopware and the HotFix plugin that was previously provided. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. To prevent this scenario, we created an updated version of Shopware (5.2.16) and the HotFix plugin (1.1.0). To ensure security, we strongly recommend that you install the latest version of Shopware (5.2.16) or the most recent version of the HotFix plugin. Please check whether you use themes or plugins that execute or overwrite the following template code. In this case, we recommend that you also make the following template adjustments in the derived template file.

Affected file: emotion.tpl

Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl
Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl

The complete line beginning with: {eval var=$sSupport.sFields[$sKey]... should be exchanged with the following:


{$sSupport.sFields[$sKey]|replace:'{literal}':''|replace:'{/literal}':''|replace:'%*%':"{s name='RequiredField' namespace='frontend/register/index'}{/s}"}

(These adjustments have already been implemented in Shopware 5.2.15)

Theme and plugin developers

All theme and plugin developers are encouraged to encouraged to update their existing themes/plugins using the abovementioned code.

What should I do?

  • Update Shopware to 5.2.16 or update the plugin.
  • Check and adapt the code in the plugins, custom themes or templates
  •  

Important security update

General information about the security update

Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware. This is a critical security vulnerability that could affect the entire system. All Shopware versions including Shopware 5.2.14 are affected. It is imperative that security updates be performed for every Shopware shop. Our current software version 5.2.15 already contains the required security update. You can upgrade to the new version 5.2.15 using the auto-update function in your backend or by downloading the release from our download page.

Alternatives for securing your system

If you are unable to upgrade your system to version 5.2.15 (recommended), you have another option for securing your system:

Patch plugin

  • Download the following plugin: SwagSecurityHotFix201701
  • Log into your Shopware backend and open the Plugin Manager
  • Click on "Installed" (located on the left side of the window)
  • Click on "Upload plugin" and select the plugin linked above
  • Finally, install and activate the plugin within the overview in the Plugin Manager