Removed SUPEE-6285 mitigation

We have removed the NGINX rules that mitigated the old SUPEE-6285 vulnerability. Keeping these rules in our main config was causing more problems than it prevented because almost all stores have been patched by now or are running a Magento version where this is not an issue. These rules caused issues for various users so we decided that now would be a good time to remove them from the main configuration.

For all Hypernodes where these rules were still needed we have placed a user editable config with the old rules in /data/web/nginx/before_redir.supee6285. All relevant users will receive a reminder to still patch this vulnerability because while our mitigation will block various known attacks, it might not be a complete fix.

The user editable config looks like:

# Hypernode Platform SUPEE 6285 Risk Mitigation
# Only allow the new url case sensitive lowercase, deny case insensitive
location ^~ /rss/order/new {
    echo_exec @handler;
location ^~ /rss/catalog/notifystock {
    echo_exec @handler;
location ^~ /rss/catalog/review {
    echo_exec @handler;
location ~* /rss/order/new {
    return 403;
location ~* /rss/catalog/notifystock {
    return 403;
location ~* /rss/catalog/review {
    return 403;

If for some reason you still require this mitigation on any new Hypernode you can place this file in /data/web/nginx and the NGINX config reloader will mix it into the main configuration.

To make this config user editable have added a new wildcard NGINX include in the appropriate place. The often used server.* include takes place after the default PHP-FPM handler which prevents some redirects from working. For the SUPEE-6285 rules we needed to hook into the config a bit earlier similar to the magmi.conf file. See this article for an explanation of the NGINX configuration inclusion order.

You can inspect the new include in the main NGINX configuration like so:

$ grep redir /etc/nginx/magento.conf -B 5
    # Include default handlers
    include /etc/nginx/handlers.conf;

    # User-editable so the user may set it up as they want. Must be 
    # included here to catch and redirect PHP files, if this was loaded 
    # in later (after the default php-fpm handler for .php files) then we
    # would not be able to redirect some things.
    include /etc/nginx/app/magmi*.conf;
    include /etc/nginx/app/before_redir.*;

For more information about this old vulnerability see this Byte blog article.

PHP updates

We have updated PHP 5.6 from 5.6.30-12 to 5.6.33-1 and PHP 7.0 from 7.0.25-1 to 7.0.27-1. See the changelog for 5.6.33 here and the changelog for 7.0.21 here. This is a security update and fixes various vulnerabilities. Related Debian security advisories: DSA-4081-1 and DSA-4080-1.

hypernode-magerun update

A new version of our n98-magerun plugin bundle hypernode-magerun has been added to the repositories. Modules without version nodes should no longer cause errors with hypernode:modules:list-updates. Thanks to Simon Sprankel for reporting the issue and to Fabio Ros for fixing it and for fixing the build as well.

All changes will be deployed on all Hypernodes over the course of this week.