Security Update 10/2016

General information

Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware. This is a critical security vulnerability that could affect the entire system. All Shopware versions from 4.0.0 up to and including Shopware 5.2.8 are affected. It is imperative that security updates be performed for every Shopware shop. Our current software version 5.2.9 already contains the required security update. You can upgrade to the new version 5.2.9 using the auto-update function in your backend or by downloading the release from our download-page.

Alternatives for securing your system

If you are unable to upgrade your system to version 5.2.9 (recommended), you have two other options for securing your system:

Patch plugin

1. Download the following plugin: SwagSecurityHotFix201610.zip
2. Log into your Shopware backend and open the Plugin Manager
3. Click on “Installed” (located on the left side of the window)
4. Click on “Upload plugin” and select the plugin linked above
5. Finally, install and activate the plugin within the overview in the Plugin Manager

Manual fix

1. Download the following file: ManualHotFix201610.zip
2. Unzip the file in the main directory of your Shopware installation
3. Replace the existing engine/Shopware/Components/StringCompiler.php file