Magento 1.9.3 - Security Overview

Magento 1.9.3 – Security Overview

Magento CE 1.9.3 was published on 11th October 2016, it delivers various code improvements, fixes few known issues and closes some very important security holes. Beside quality improvement of code, new version brings support for PHP 5.6 in addition to PHP 5.4 and 5.5. (PHP 7 is still not supported).

Security enhancements addresses some general issues like (to mention few): remote Code Execution in checkout, SQL injection in Zend Framework, Stored XSS in invitations.

Also there are several password enhancements that prevent abusing ‘forgotten password’ functionality and updating customer email address now require password preventing unauthorized change of email address.

Among other important security updates it is wroth mentioning that patch will remove several SWF files that were located in admin default theme. Here is the list of files:




Latest version of our MageFence module will search for those file and point them as possible security issue in case that you patched/updated Magento but for some reason those files are still present on server.

Before going for update/patch you should create a complete working backup of your site, including data base and file system, since there are few backward-incompatibility changes that might cause issues with 3rd party modules. The following backward-incompatible changes were made in this release:


Parent class was removed.


Overrides the magic method __call and its behavior can be inconsistent

In case that Magento core files are edited most likely you will not be able to patch your system using SUPEE-8788 patch and should go for update procedure. Most likely all changes that were made in core files will be overwritten during update process, so it would be wise to copy them and apply later properly (using local folder).

Quality improvements and fixes cover several areas like: tax calculation, shopping cart and checkout, price rules, import/export process and indexer functionality. Complete list can be found on official page:

So far several issues are reported after updating, one of them are issue where every product is displayed in the search in full text mode and SOAP connection issues. Also there are several issues with 3rd party extensions that have option to upload and manipulate images and patches should appear in next few days.

Leave a Reply

Your email address will not be published.