Magento just released SUPEE 6788 to address 10 vulnerabilities for Remote Code Execution and Personal information leak issues. Please note this patch is not related to Guruincsite malware (neutrino exploit) issue. It is advisable to install and try patch in development server first before installing It in live website as SUPEE 6788 may affect to 3rd party extensions and custom development you have done in Magento.
You can install the latest patch by upgrading your Magento version to the latest 1.9.2.2.
SUPEE 6788 with SSH
Please note before Proceeding,
- Check if your theme has a custom customer/form/register.phtml or custom persistent/customer/form/register.phtml. If this is the case, make sure that it includes a form_key.
- Do you use non-standard variables in CMS pages, static blocks or email templates? They need to be whitelisted. See FAQ Section of this blog for how to.
- Do you run the Magento cron through HTTP? Are you using Apache? There is a new access control on cron.php, so you should change the .htaccess to include your local IP. You can use cron.sh and If this is not possible, at least make sure that you call cron.php via CLI PHP.
- Make sure that all your extensions use the “new” admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at SUPEE 6788 Resources Section of this blog.
Steps
1. You should have SSH access of your server to install the patch on your Magento website.
2. If you are ready with SSH access, then follow these steps to prepare your Magento for the Patch installation
- Make sure Complier has been disabled on your Magento store by going SYSTEM > CONFIGURATION > TOOLS > COMPILATION
- Verify your Magento version either from backend footer in admin.
3. Download the security patch from official website of Magento for the version of Magento you are using.
https://www.magentocommerce.com/products/downloads/magento/
4. Upload the patch in the root directory of Magento using Cpanel or FTP.
5. Connect your server using SSH and go to the root where Magento is installed. Run the patch command as following.
Change the Magento version in the command as per your Magento version. If you are using Magento 1.9 then you might face hunk failed issue, so you can use 1.8 in command.
mv .htaccess .htaccess_original wget -qO .htaccess http://svn.magentocommerce.com/source/branches/1.8/.htaccess wget -qO .htaccess.sample http://svn.magentocommerce.com/source/branches/1.8/.htaccess.sample sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh mv .htaccess .htaccess_patched mv .htaccess_original .htaccess
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Please clear the cache manually or using this command, sometimes installed patch doesn’t show up. Go to var folder in SSH and run
rm -rf cache/
6. If you have followed above commands then make sure to add following code at the bottom in your .htaccess file manually.
########################################### ## Deny access to cron.php <Files cron.php> ############################################ ## uncomment next lines to enable cron access with base HTTP authorization ## http://httpd.apache.org/docs/2.2/howto/auth.html ## ## Warning: .htpasswd file should be placed somewhere not accessible from the web. ## This is so that folks cannot download the password file. ## For example, if your documents are served out of /usr/local/apache/htdocs ## you might want to put the password file(s) in /usr/local/apache/. #AuthName "Cron auth" #AuthUserFile ../.htpasswd #AuthType basic #Require valid-user ############################################ Order allow,deny Deny from all </Files>
7. Secured Admin routing for extensions must be disabled by default, Make you have made all the related changes for the 3rd party extension and custom development in Magento.
- You can uninstall unusual 3rd party extensions.
- You can ask to the extension developer to provide support or for upgraded package of the extension.
- You can follow Magento guide to make the necessary changes in 3rd party extensions and custom development or even Ask Us to make any extensions compatible with SUPEE 6788.
8. If you are sure, and verified those, you are free to enable the Secured Admin routing by going System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
9. You can then test the patch installation by going https://www.magereport.com/
SUPEE 6788 without SSH
As a part to help Magento community for the easiest way to apply patches, we were releasing pre patched files for all the patches till now. We have also released pre patched files for SUPEE 6788 to install it using FTP.
1. Please take backup of all the original files before replacing pre patched files in Magento installation.
2. Make sure Compilation is disabled on your Magento store.
Here are the Pre Patched files
Download the zip file for the patch installation. You can also download these Pre Patched files from GitHub.
| Magento version | SUPEE-6788 |
| Magento 1.9.2.1 | SUPEE_6788_Magento_1.9.2.1 |
| Magento 1.9.2.0 | SUPEE_6788_Magento_1.9.2.0 |
| Magento 1.9.1.1 | SUPEE_6788_Magento_1.9.1.1 |
| Magento 1.9.1.0 | SUPEE_6788_Magento_1.9.1.0 – Updated! |
| Magento 1.9.0.1 | SUPEE_6788_Magento_1.9.0.1 |
| Magento 1.9.0.0 | SUPEE_6788_Magento_1.9.0.0 |
| Magento 1.8.0.0 | SUPEE_6788_Magento_1.8.0.0 |
| Magento 1.8.1.0 | SUPEE_6788_Magento_1.8.1.0 |
| Magento 1.7.0.0-1.7.0.1 | SUPEE_6788_Magento_1.7.0.0-1.7.0.1 |
| Magento 1.7.0.2 | SUPEE_6788_Magento_1.7.0.2 |
| Magento 1.6.2.0 | SUPEE_6788_Magento_1.6.2.0 |
| Magento 1.6.1.0 | SUPEE_6788_Magento_1.6.1.0 |
| Magento 1.5.1.0 | SUPEE_6788_Magento_1.5.1.0 |
Don’t forget to follow 6,7,8 steps from the above method.
Note: SUPEE 6788 for Magento CE 1.6.x and earlier(CE 1.5.x, 1.4.x and may be 1.3.x) versions is likely to be launched a week after this release.
[bctt tweet=”Install SUPEE 6788 with or without SSH”]
FAQs:
[expand title=”1) Patch 6788 is installed but MageReport disagrees?“]
[/expand]
[expand title=”2) Have simple blocks of content disappeared after installing SUPEE-6788?“]
If you have simple grid of products that are pulled in via their category ID like
{{block type=”catalog/product_list” column_count=”4″ category_id=”23″ template=”catalog/product/list.phtml”}}
You might be noticed that each site was totally blank in the area where a block like the above was referenced.
What you will need to do is, you will now need to specifically give permission to that block in order for it to appear. You can do this by going System -> Permissions -> Blocks and putting in the name of the block like so “catalog/product_list”
Then they all started appearing just fine.
[/expand]
[expand title=”3)No changes to source files after applying SUPEE 6788? If I do a git status after applying the patch none of the files appear to have changed?”]
If .htaccess fails to be patched than the entire patch is not installed. Hence why git was seeing no changes. Try overwriting the .htaccess with the original and then apply the patch.
[/expand]
[expand title=”4) Getting this error while applying SUPEE 6788 1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php.rej”]
Possible reason of this error, is not installation of previous patches. Make sure you have installed all the previous patches before installing SUPEE 6788.
[/expand]
Leave a comment if you are facing any issue.
I am using Magento 1.4.1.1. version , how could I install 6788 PATCH?
Hello @Hristina
Magento hasn’t released patch yet for prior version then Magento 1.7. We will have to wait for it to release pre patched files.
However I would suggest to upgrade your Magento store to latest for all the security patches installed till now.
I intalled the 6788 patch files in 1.9.2.1 magento version and my website got this error.
Fatal error: Class ‘Zend_Xml_Security’ not found in /opt/lampp/htdocs/terrnew/lib/Zend/Locale/Data.php on line 160
PLease help me out.
Hello @Pradeep
Do you have Security.php file at this path?
app/code/core/Zend/Xml/Security.php
Yes I have this file. And also Issue is fixed and alos I installed the files successfully. There is compliation problem, I remain enable. Thanks for helping me with these patch files. 🙂
Glad to hear that 🙂
My installation is 1.9.1.0 – however I have applied all previous patches. Do I still carry on with the 6788 patch for 1.9.1.0, or has applying the previous patches upgraded my version?
Hello James,
You have 2 options,
1. Install the SUPEE 6788 for your Magento version
2. Upgrade your Magento version to latest 1.9.2.2 which includes all previous patches and latest SUPEE 6788.
Thanks for the response – what are the best steps to upgrade to the current version?
Hello James,
I would suggest to contact any Professional Magento Developer or even Contact Us for the Magento upgrade as Magento 1.9.2.2 can affect on your 3rd party extensions and custom developments so you may face lot of issues.
I installed the 6788 patch files in 1.8.1.0 magento version and my website got this error.
home page disappear…
There has been an error processing your request
Exception printing is disabled by default for security reasons.
AND
a:5:{i:0;s:248:”SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘.`value)` = ‘0’) AND (`start_time` = ‘2015-10-‘ at line 2″;i:1;s:5469:”#0 /home/…/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
How can I do?
Thanks
Hello Eavan
IF you are facing issue, please do contact us.
Hi ,
I have installed SUPEE 6788 without SSH.But not reflect to http://www.magereport.com also critical message showing in admin.Please advice
Thanks ,
Arun
Hello Arun,
Please check FAQ section of the blog.
I have installed SUPEE 6788 without SSH.But not reflect to http://www.magereport.com also critical message showing in admin.Please advice
Hello Sujeet,
You will need to add form key
Hello Sujeet,
Make sure you have added form key.
When I have install this patch then this code in CMS page “{{block type=”catalog/navigation” name=”catalog.category” template=”catalog/category/list.phtml” }}” is not working but if I change type to “Core/template” then working can you help me regarding this issue.
Hello Parshant,
I don’t find anything related to catalog/navigation in SUPEE 6788 patch. Still we will look for such issue if anyone face after patch installation.
Meanwhile you can contact us for help.
Hello Prashant, Please check the FAQ, might help with your issue. 🙂
I am having the same problem .. after performing the update regarding the message received in magento on SUPEE-6788 I realized the update however my homepage no longer appears Products!
What should I do to solve this problem?
Hello Lstm, Please check the FAQ, might help with your issue. 🙂
First, thank you for the article, but, I am running the SUPEE 6788 Check file on my Magento installation locally and it founds SQL injections within the call of addFieldToFilter() method, even though my calls are same as per this http://magento.com/security/patches/supee-6788-technical-details
The following code: $collection->addFieldToFilter(‘`field`’, array(‘eq’=>3)); I don’t have calls like this one.
Should be changed with: $collection->addFieldToFilter(‘field’, array(‘eq’=>3)); which I already have on all of my calls. Is it that the check file could be wrong in the search?
Hello Zoran,
You will need to change the collection $collection->addFieldToFilter(‘`field`’, array(‘eq’=>3)); to $collection->addFieldToFilter(‘field’, array(‘eq’=>3));
Thanks, but I don’t see the difference between the two examples you have added. Maybe it’s the formatting of the comments? All of my addFieldToFilter calls are using only single quotes (‘)
Please don’t make users download patches directly from your site. You are not e reliable source of information or patches. Patches and releases MUST be only downloaded from official sites and not from sites claiming help. You are one small hack away from infecting all the users downloading info from here and blindly inserting it into their stores
Hi, We understand your concern and that’s why we have moved the Pre Patched files to Github. So users can download the patches from there. Thank you for your precious suggestion.
When I have install this patch then this code in CMS page “{{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}}” it is not working it is showing empty page.Before it has worked fine and showed the form which I had created in donorform.phtml file.
After Installing this patch the content in the CMS page {{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}} is not working before installing this patch it has worked fine.Please solve my problem.
Please see the FAQ section, you will need to give permission to the block to display.
But core/template blocks are supported by default, why would something like {{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}} not work?
Hi
“system->permissions->block” page showing me as a blank page.
Could you please help me to fix this issue?
Try clearing cache and make sure you have compilation disabled.
I am very concerned about this security patch. Correct me if I’m wrong, but won’t the suggested route substitution method cause a lot of modules controllers to conflict? I mean, currently all modules use their own frontname, and now we are supposed to put everything under the admin frontname. Wouldn’t it be easier/better/safer to change Magento to treat routes declared with admin differently?
As i have seen your query, this patch doesn’t reflect on front side, it affects only in backend urls. Suppose your third party extension has configuration and save update delete your data in admin panel, you will just need to redirect like admin url. Nothing to change in frontend.
Hi!
Will you be releasing a non-SSH version of this patch for 1.5.1.0?
Thanks!
please don’t use zip for magento 1.8.0.0 because this zip have magento 1.9 xml file .
In my case it turned out to be a problem related to the fpc extension I use…
I run the patch file using putty and have the following messages listed below. My question then is it the patch applied or not yet? since when i go to admin still have no effect. CE version 1.9.2.1
Checking if patch can be applied/reverted successfully…
ERROR: Patch can’t be applied/reverted successfully.
patching file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED — saving rejects to file .htaccess.rej
can’t find file to patch at input line 38
Perhaps you used the wrong -p or –strip option?
The text leading up to this was:
————————–
|diff –git .htaccess.sample .htaccess.sample
|index b8821af..383313a 100644
|— .htaccess.sample
|+++ .htaccess.sample
————————–
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
patching file app/code/core/Mage/Admin/Model/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
patching file app/code/core/Mage/Admin/Model/Resource/Variable.php
patching file app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
patching file app/code/core/Mage/Admin/Model/Variable.php
patching file app/code/core/Mage/Admin/etc/config.xml
patching file app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.p hp
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form. php
patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php
patching file app/code/core/Mage/Adminhtml/controllers/Permissions/BlockControll er.php
patching file app/code/core/Mage/Adminhtml/controllers/Permissions/VariableContr oller.php
patching file app/code/core/Mage/Adminhtml/etc/adminhtml.xml
patching file app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php
patching file app/code/core/Mage/Core/Controller/Front/Action.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
patching file app/code/core/Mage/Core/Helper/UnserializeArray.php
patching file app/code/core/Mage/Core/Model/Email/Template/Filter.php
patching file app/code/core/Mage/Core/Model/Resource/Setup.php
patching file app/code/core/Mage/Core/etc/config.xml
patching file app/code/core/Mage/Core/etc/system.xml
patching file app/code/core/Mage/Customer/Block/Account/Changeforgotten.php
patching file app/code/core/Mage/Customer/Block/Account/Resetpassword.php
patching file app/code/core/Mage/Customer/controllers/AccountController.php
patching file app/code/core/Mage/Downloadable/Model/Product/Type.php
patching file app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php
patching file app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
patching file app/code/core/Mage/Sales/controllers/DownloadController.php
patching file app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php
patching file app/design/adminhtml/default/default/layout/admin.xml
patching file app/design/frontend/base/default/layout/customer.xml
patching file app/design/frontend/base/default/template/customer/form/register.p html
patching file app/design/frontend/base/default/template/customer/form/resetforgo ttenpassword.phtml
patching file app/design/frontend/base/default/template/persistent/customer/form /register.phtml
patching file app/design/frontend/default/iphone/layout/customer.xml
patching file app/design/frontend/default/modern/layout/customer.xml
patching file app/design/frontend/rwd/default/layout/customer.xml
patching file app/design/frontend/rwd/default/template/customer/form/resetforgot tenpassword.phtml
patching file app/design/frontend/rwd/default/template/persistent/customer/form/ register.phtml
patching file cron.php
patching file dev/tests/functional/.htaccess
patching file errors/processor.php
patching file lib/Unserialize/Parser.php
patching file lib/Unserialize/Reader/Arr.php
patching file lib/Unserialize/Reader/ArrKey.php
patching file lib/Unserialize/Reader/ArrValue.php
patching file lib/Unserialize/Reader/Bool.php
patching file lib/Unserialize/Reader/Dbl.php
patching file lib/Unserialize/Reader/Int.php
patching file lib/Unserialize/Reader/Str.php
patching file lib/Varien/Data/Collection/Db.php
patching file lib/Zend/Xml/Security.php
please help and info what has been causing the patch seem have no effect.
We have updated the blog with few more commands to make your SUPEE 6788 installation easy.
If you still face trouble, contact us anytime.
Hi,
thanks for the great post. After installing version for 1.9.0.1 customer reset form and cron don’t work.
It seems to me that your update package for this vesion is not fully correct. For example there is a method ‘$customer->cleanPasswordsValidationData();’ in app/code/core/Mage/Customer/controllers/AccountController.php that is not added through the original SSH file for the same version. Also, this method doesn’t exist on Customer model in this version of Magento.
Do you have added form key? SUPEE 6788 requires form key to be added if you are using custom theme,
After Installing this patch file store locator plugin is not working.that page contain database connection error
please solve my problem
You will need to make the extension compatible with SUPEE 6788, you can ask extension vendor or ask us to help you with.
After install SUPEE-6788 patch, I am getting blank page on System > Permissions > Blocks
also, in home page, featured products, new products bloc are not working. {{block type=”catalog/product_list”
category_id=”46″ template=”catalog/product/list.phtml”}} any help me?? catalog product is blank page.. not see any product… nay .. help me..? please? my magento is 1.9.0.1
You will need to check the blocks you have used, and give permissions to them. If you are a developer, you can find those from CMS > Pages and phtml files.
You will need to find the perfect block you are using display products and allow them permission,
Here are some common we get,
bannerslider/bannerslider
catalog/product_list
newsletter/subscribe
customer/newsletter
ultimo/product_list_featured
catalog/product_new
cms/block
ultimo/navigation
Hello,
I am using Magento 1.8.1.0. I patched but on https://magento.com/security-patch is displaying warning message “WARNING: This site appears to be vulnerable. Please patch it immediately!”.
Please give me suggestion.
Thanks
Hello Bhushan,
Please checkout your website here,
https://www.magereport.com/
You will get detailed information about the installed patches and vulnerabilities. You can work on it or contact us for help.
Thanks
Are you going to release the zip file for supee 6788 for magento 1.6.0.2 ?
Blog Updated. 🙂
Hello Magecomp,
we installed this patch carefully without SSH and tested it on: https://www.magereport.com/scan/?s=http://magento.robbeberking.info/ which tells me that we patched it correctly. But when I test it with the patch tester from magentary: https://magentary.com/magento-security-patch-tester/ it says that it is still vulnerable to SUPEE-6788 could you please advice me in which criterea the test is failing right now for the domain magento.robbeberking.info ? Thanks for your time.
The magento version that we are using is: 1.7.0.2
You may ask magentary guys about the issue to get clear idea about the issue you are facing.
Done that two times already. They dind’t respond that is why I tried to post the issue here.
I thought that it is maybe common. Anyways thanks for your reply and your time.
I see 🙂 Don’t worry. We and Magento generally recommends to check at magereport. If it showing ok then no need to worry.
Have a nice day.!
transactional emails are not working. what should i do now?
Hello Darshana,
Did it happen after SUPEE 6788 installation?
Hi,
After run 6788 patch, if i go to Admin -> System -> Permission -> Blocks
below error came
a:5:{i:0;s:51:”Controller file was loaded but class does not exist”;i:1;s:941:”#0 app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(340): Mage::exception(‘Mage_Core’, ‘Controller file…’)
Please help me
Make sure you have installed all the older patches.
Hello I try to install the PATCH_SUPEE-6788 via SSH on magento version 1.9.2.1, but on step 5 I can’t understand what actually I have to do. I try to change the version of magento 1.9.2.1 to 1.8.2.1 and the command was as -> sh PATCH_SUPEE-6788_CE_1.8.2.1_v1-2015-10-26-11-59-27.sh, but it tells me that this is unknown file or something like this, where I got wrong?
You need to to add 1.8 for this command only, patch (.sh) file, you need to download and run as per your Magento version.
sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh
Moreover I try the without SSH method, but after I upload the prepatched files, this problem appeared:
Forbidden
You don’t have permission to access / on this server.
Server unable to read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Hello MageComp,
I have a problem during installation of the SUPEE 6788. First I try install it with SSH connection, but on step 5, I couldn’t understand, what I have to do actually just change the name of the version. I do this as write instead of 1.9.2.1, 1.8.2.1, that what I understand from the instructions. But it tells me unknown file or something like that. After that I try without SSH but after I paste the prepatched files, some wrong appear as:
Forbidden
You don’t have permission to access / on this server.
Server unable to read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
What I have to do and where I made the mistake?
Hi, when I write a comment here, after that it disappear, so I can’t read your answer, I refresh the page multiple times and the last commend that I see is from 28th of January this year. Why is that?
Only when I post a comment I see what you answer to me.
What did you mean I have to add 1.8 for the command, where to add to change the version of magento or what?
I try to install the patch multiple times but nothing happens, I try with.
Can you please explain to me in details? My version of magento is 1.9.2.1 and I download the patch for this version, after that when I make the SSH I find the directory in the server where the file is, and than type
sh PATCH_SUPEE-6788_CE_1.9.2.1_v1-2015-10-26-11-38-41 and the problem appear -> a lot of lines of code and last line -> 4 out of 4 hunks ignored
rename the file as 1.9.2.1-> 1.8.2.1 and the command looks like this sh PATCH_SUPEE-6788_CE_1.8.2.1_v1-2015-10-26-11-38-41, and again the same problem ->
4 out of 4 hunks ignored
So where to add 1.8 maybe I can’t understand please help…
1. Make sure you have installed all the previous patches.
2. Follow this
mv .htaccess .htaccess_originalwget -qO .htaccess http://svn.magentocommerce.com/source/branches/1.8/.htaccess
wget -qO .htaccess.sample http://svn.magentocommerce.com/source/branches/1.8/.htaccess.sample
sh PATCH_SUPEE-6788_CE_1.9.2.1_v1-2015-10-26-11-59-27.sh
mv .htaccess .htaccess_patched
mv .htaccess_original .htaccess
3. If you are getting hunks ignored error, that means patch files are unable to find the correct line and code in your Magento. You need to note those files and replace those files with the default Magento 1.9.2.1, then again install the patches.
This will work 🙂
I had created plugin for Magento 1.8 but in Magento 1.9.0.0 it is not working.Please help me.
Please contact us with the error you are facing…..
Hi Guys,
I’ve installed the security patches 6788 in magento 1.7.0.2 but getting unknown in magereport.
Please help me how can resolve this issues.
http://awesomescreenshot.com/04f5wl5u96
If you see there about page FAQ, you will find, they say if it is showing grey, in that case the patch might be installed but the magereport is unable to check.
But How can Magereport check? Please suggest me?
Hey Magecomp Team,
Thanks for updation!!!
Please suggest me.
What is the reason MageReport unable check??
any chance for magento 1.9.2.2 ?
If you are talking about SUPEE 6788, then you don’t need to install it on Magento 1.9.2.2 as Magento 1.9.2.2 was released for SUPEE 6788 inclusive.