How to Install Magento Security Patches – The Ultimate Guide

Magento is an open-source platform that consists of all leading cutting edge functionalities in one pack. But using an open-source platform has always drawback that is code is openly available to all which is like open invitations to hackers and attackers. And security is one of the important factors for any Ecommerce stores. Having wide Magento Community, Magento Developers are working hard to improve and enhance CMS with their regular updates. For new Magento version it by default includes all security enhancement but what about old Magento stores? To protect each store Magento is always releasing small security patches or you can say SUPEE that contains bug fixes and security enhancement to protect your store from vulnerabilities.

But why it is important to apply these security patches to your Magento Store?
In the year 2015, Check Point researchers discovered a critical remote code execution (RCE) Hazard in Ecommerce platform Magento which can bulge to outright compromise of any Magento store, which may include personal data, credit card info and other data which can affect nearly 200 thousand online shops.
So, we always recommended store owner to upgrade their store but if you dont want to upgrade your store so frequently one should have to install security patches to keep their store secure and up to date.

Magento has already released one patch last year, but 80% of Magento stores haven’t applied and so those were vulnerable, so Magento have to send notification to install patches and make your Magento store secure. This Remote code vulnerability was originally founded by Check Point and reported about the issue to Magento.

We have covered the installation fo following patches but you can install other using the same method:

• SUPEE 1533
• SUPEE 5344
• SUPEE 5994
• SUPEE 6285
• SUPEE 6482
• SUPEE 6788
• SUPEE 7405
• SUPEE 7616
• SUPEE 8788
• SUPEE 9652
• SUPEE 9767 – NEW!
• FAQs

Refer this awesome spreadsheet to know which patches your Magento needs. This sheet is prepared and maintained by JH.

How your store can be hacked?

Hacker can run the malicious code and try to create one fake admin user with all rights in the Magento database leveraging SQL injections. If you think, your website has been hacked, then please try to find usernames in your database: admin_user and ypwq, as these are the names hackers are using so far.

Why You should fix this as soon as possible?

Check Point researchers recently discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.

Source: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/

SUPEE 1533 & SUPEE 5344

Magento has released these 2 patches, SUPEE-1533 and SUPEE-5344.

The important thing is now how to install the patches for the Magento website, here is the simplest guide to apply patches on your magento.

There are 3 ways to install patches, either using SSH and the other one is using FTP or cpanel. Some hosting provider don’t provide the SSH access for your plan, but don’t worry you have other option to follow.

Compilation:

Make sure compilation has been disabled in your store before installing patches. If you haven’t disabled the compiler and installed the patch, test everything and run the compiler to again. It needs to run the compiler to take effect of the code of the patch.

I have explained installation of patches with both the ways here:

Follow this instruction to install patch on your store,

Method 1:

• • 1. Upload patch files in the root of magento.
    2.  Make one file with the name of patch.php, write following code in it,

<?php
	print("<PRE>");
	passthru("/bin/bash PATCH_SUPEE-5344.sh");
	print("</PRE>");
	echo "Done";
?>

Replace the file name in it, upload it in the root and run the file from the browser.

Name should be PATCH_SUPEE-5344.sh or PATCH_SUPEE-1533.sh

You should receive following screen once you run patch.php from the browser,

If you are getting error like this,

“Error! Some required system tools, that are utilized in this sh script, are not installed; Tool (s) “patch” is (are) missed, please install it(them).

That means system tools aren’t installed in your server to run the sh script, you can contact your hosting provider or follow another method.

We have updated the patch files for the older Magento versions:
It is very much recommended to use this patches at your own risk, please take backup of your website. It is highly recommaded to upgrade your Magento version to latest one, you can contact us for the Magento Upgrade Service.

Here is the patch file for Magento version (1.3) : Patch_for_Magento_1.3

Here is the patch file for Magento version (1.4) : Patch_for_Magento_1.4

Here is the patch file for Magento version (1.5) : Patch_for_Magento_1.5

Method 2:

You can install patch with SSH as well. You will need SSH, if you don’t know how to set up SSH, contact your hosting provider.

• • 1. Upload the patch files in the root,
    2. In ssh console, run the command as following.

For .sh file extension

Sh PATCH_SUPEE-5344.sh

Sh PATCH_SUPEE-1533.sh

For .patch file extension:

patch —p0 < patch_file_name.patch

Method 3:

We have uploaded the zip files with already patched files, you will just need to extract and upload It in the root of your Magento.

Patch SUPEE-1533 (Magento 1.7.x.x-1.9.1.0) applied to the following files:

• • • app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
    • app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Download the zip from here :  SUPEE-1533.zip

Download the zip for Magento (1.6.x.x) :  SUPEE_1533_for_1.6.zip

Patch SUPEE-5344 applied to the following files:

• • • app/code/core/Mage/Admin/Model/Observer.php
    • app/code/core/Mage/Core/Controller/Request/Http.php
    • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
    • app/code/core/Mage/XmlConnect/Model/Observer.php
    • lib/Varien/Db/Adapter/Pdo/Mysql.php

Download the zip for Magento (1.8.x.x – 1.9.1.0 ): SUPEE-5344.zip

Download the zip for Magento (1.7.x.x): SUPEE_5344_for_1.7

Download the zip for Magento (1.6.x.x): SUPEE_5344_for_1.6

You can also download these Pre Patched files from GitHub.

NOTE : Please Don’t forget to check the user account for the admin, if you found any malicious user accounts, delete those immediately.

Check your Latest Security Patch status at: http://magento.com/security-patch

SUPEE 5994

Magento released this patch on 14th May, 2015. This Patch stuffs several vulnerabilities, one of which is the possibility the download the customer data allow.

Here is the way to install the patches:

Method 1:

• • 1. Download the latest patch SUPEE 5944 from the Official Magento website: https://www.magentocommerce.com/products/downloads/magento/
    2. Upload the downloaded patch file in the root of your Magento, Make sure it has full permissions to execute.
    3. Make sure compiler has been disabled, (if enabled and patches installed then may show errors)
    4. Install the patches using SSH (if you have access, if you don’t have ask your hosting provider to give)
       Run the command: sh file_name.sh
       Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh
    5. Clear the Cache
       Refresh your cache from the Magento admin, Don’t forget to refresh your OPcode or APC cache as well! (If not done this can create issue for you)

Currently there isn’t any way to verify that SUPEE 5994 installed or not but we are working on our Magento Applied Patches extension so that you can check.

Method 2:

As per our promise, here are zip files for the SUPEE 5994 Patch. You can also download these Pre Patched files from GitHub.

You can also check yourself which patches have been installed in your Magento Store with this extension(only if you have installed using SSH or using Patch.php file upload method): https://www.magecomp.com/magento-applied-security-patches.html

SUPEE 6285

Magento Security Patch SUPEE 6285 addresses the following security issues:

• • • It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.
    • It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.

Method 1

You can follow the same process as stated above for SUPEE 1533, 5344 nad 5994

Method 2

You can follow the same process as stated above for SUPEE 1533 and 5344

Method 3

Download the zip file for the patch installation. You can also download these Pre Patched files from GitHub.

SUPEE 6482

This patch addresses two issues related to APIs and two cross-site scripting risks. Packages of this patch are available now to download.

Method 1

You can follow the same process as stated above for SUPEE 1533, 5344 and 5994

Method 2

You can follow the same process as stated above for SUPEE 1533 and 5344

Method 3

Download the zip file for the patch installation. You can also download these Pre Patched files from GitHub.

As per Magento 1.9.2.1

SUPEE 6788

We have moved SUPEE 6788 section to: How to install SUPEE 6788 with or without SSH

SUPEE 7405 & SUPEE 7405 v1.1

We have moved SUPEE 7405 section to: How to install SUPEE 7405 with or without SSH

SUPEE 7616

We have moved SUPEE 7616 section to: How to install SUPEE 7616 with or without SSH

SUPEE 8788

We have moved SUPEE 8788 section to: How to install SUPEE 8788 with or without SSH

SUPEE 9652

We have moved SUPEE 9652 section to: How to install SUPEE 9652 with or without SSH

SUPEE 9767

We have moved SUPEE 9767 section to: How to install SUPEE 9767 with or without SSH

FAQs:

[expand title=”1) I’ve installed the patches as instructed, but the warning still keeps showing when I log into Magento admin panel.“]
Warning is just the notification, you can “mark as read” all those messages if you have successfully installed the patches. If you haven’t either follow the blog post, or do contact us, we will help you with the patch installation for FREE [/expand]

[expand title=”2) I’m on a shared server and my hosting provider does not allow access via SSH or telnet. Is there another way to install security patches?“]
We have displayed 2 more methods for the security patch installation, try any one of them. If you know about the FTP, then the File upload method is the best. Make sure you take backup of the files you are overwriting. [/expand]

[expand title=”3) Fatal error: Class ‘Mage_Install_Controller_Router_Install’ not found
Warning: include(Mage/Install/Controller/Router/Install.php) function.include:failed to open stream: No such file or directory“]

• • • Have you switched off and cleared compilation?
      via the console/ssh you can use
      $ php -f shell/compiler.php — disable
      $ php -f shell/compiler.php — clear
      $ php -f shell/compiler.php — compile
      $ php -f shell/compiler.php — enable
    • Check to see if the file app/code/core/Mage/Install/Controller/Router/Install.php exists.When you ran the patch, the directory Router didn’t exist in app/code/core/Mage/Install/Controller and so the Install.php file did not get created despite being told otherwise in the applied.patches.list file. This means you’re missing a class and you get the message:

[/expand]

[expand title=”4) blank page after installling security patch PATCH_SUPEE-5994“]
a. Make sure there is a install.php file at this path app/code/core/Mage/Install/Controller/Router/Install.php
with a capital “I”? If not, rename it, so it will start with a capital “I”.
b. Follow the steps shown in question 3
c. Disable the compiler, here is a way to disable without accessing backend.
Find the file config.php in the directory includes. It will look like this:

<?php ...
define('COMPILER_INCLUDE_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'src');
define('COMPILER_COLLECT_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'stat');
..

comment out both lines like this:

# define('COMPILER_INCLUDE_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'src');
# define('COMPILER_COLLECT_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'stat');

try again. You will probably be able to login now. Go to your tools, rerun compilation process and when you get a success, go back to your includes/config.php file and uncomment the lines again.
[/expand]

[expand title=”5) Getting: Error! Some required system tools, that are utilized in this sh script, are not installed: Tool(s) patch is(are) missed, please install it(them).“]

• • • For windows server: If you can’t run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
    • For linux server:
      The solution is to install the patch package:
      yum install patch
      Then run sh the patch file:
      sh PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh

[/expand]

[expand title=”6) How can I make sure that SUPEE 1533 and SUPEE 5344 have been installed perfectly?“]
You can check your website for vulnerability here,
https://magento.com/security-patch

You can use our Free Magento Applied Patches extension for the verification.
This extension will only show the result if you have installed the patches using SSH or php file method.
[/expand]

[expand title=”7) How can I make sure that SUPEE 5994 has been installed perfectly?“]

There is no perfect tool to analyze for SUPEE 5994 verification but you can check the files which patch have modified,

• • • app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
    • app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
    • app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
    • app/code/core/Mage/Customer/Model/Customer.php
    • app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
    • app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
    • app/code/core/Mage/Install/Controller/Router/Install.php
    • app/code/core/Mage/Install/etc/config.xml
    • app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
    • downloader/Maged/Model/Connect.php
    • downloader/Maged/View.php
    • downloader/template/connect/packages_prepare.phtml
    • downloader/template/messages.phtml
    • get.php
    • lib/PEAR/PEAR/PEAR.php
    • lib/PEAR/PEAR/PEAR5.php
    • lib/Varien/Io/File.php

[/expand]

[expand title=”8. I am getting this error while applying patch? What could be the issue?
Hunk #1 FAILED at …1 out of 1 hunks FAILED — saving rejects to file.“]

The error you are facing is due to the spacing issue in code, we have mentioned this before as well, in patch files, it has been set that at this line, particular code needs to be changed, if patch doesn’t find the code at specified line it throws this error.

Every code line had a CRLF line (empty line) under it. This could be the reason for this error. You will need to find the file and remove this lines between code from files. In short file needs to match exactly what Magento has in its repository for the patch to apply.

Solution: Download the same exact core files for that particular Magento version fresh from the Magento site and replace them with the old core files, the patch will work perfectly.

Or try this one

Run dos2unix command to convert all line endings to UNIX from DOS
Command
~/bash$ dos2unix

For Example : ~/bash$ dos2unix app/code/community/OnTap/Merchandiser/controllers/AdminhtmlController.php

[/expand]

If you have any difficulties with applying the patches please let us know in comments.