How to install SUPEE 6788 with or without SSH

How to install SUPEE 6788 with or without SSH

Magento just released SUPEE 6788 to address 10 vulnerabilities for Remote Code Execution and Personal information leak issues. Please note this patch is not related to Guruincsite malware (neutrino exploit) issue. It is advisable to install and try patch in development server first before installing It in live website as SUPEE 6788 may affect to 3rd party extensions and custom development you have done in Magento.

You can install the latest patch by upgrading your Magento version to the latest 1.9.2.2.

SUPEE 6788 with SSH

Please note before Proceeding,

  • Check if your theme has a custom customer/form/register.phtml or custom persistent/customer/form/register.phtml. If this is the case, make sure that it includes a form_key.
  • Do you use non-standard variables in CMS pages, static blocks or email templates? They need to be whitelisted. See FAQ Section of this blog for how to.
  • Do you run the Magento cron through HTTP? Are you using Apache? There is a new access control on cron.php, so you should change the .htaccess to include your local IP. You can use cron.sh and If this is not possible, at least make sure that you call cron.php via CLI PHP.
  • Make sure that all your extensions use the “new” admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at SUPEE 6788 Resources Section of this blog.

Steps

1. You should have SSH access of your server to install the patch on your Magento website.
2. If you are ready with SSH access, then follow these steps to prepare your Magento for the Patch installation

  • Make sure Complier has been disabled on your Magento store by going SYSTEM > CONFIGURATION > TOOLS > COMPILATION
  • Verify your Magento version either from backend footer in admin.

3. Download the security patch from official website of Magento for the version of Magento you are using.
https://www.magentocommerce.com/products/downloads/magento/
4. Upload the patch in the root directory of Magento using Cpanel or FTP.
5. Connect your server using SSH and go to the root where Magento is installed. Run the patch command as following.

Change the Magento version in the command as per your Magento version. If you are using Magento 1.9 then you might face hunk failed issue, so you can use 1.8 in command.

mv .htaccess .htaccess_original
wget -qO .htaccess http://svn.magentocommerce.com/source/branches/1.8/.htaccess
wget -qO .htaccess.sample http://svn.magentocommerce.com/source/branches/1.8/.htaccess.sample
sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh
mv .htaccess .htaccess_patched
mv .htaccess_original .htaccess

For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch

Please clear the cache manually or using this command, sometimes installed patch doesn’t show up. Go to var folder in SSH and run

rm -rf cache/

6. If you have followed above commands then make sure to add following code at the bottom in your .htaccess file manually.

###########################################
## Deny access to cron.php
 <Files cron.php>

############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.

 #AuthName "Cron auth"
 #AuthUserFile ../.htpasswd
 #AuthType basic
 #Require valid-user

############################################

 Order allow,deny
 Deny from all

 </Files>

7. Secured Admin routing for extensions must be disabled by default, Make you have made all the related changes for the 3rd party extension and custom development in Magento.

  • You can uninstall unusual 3rd party extensions.
  • You can ask to the extension developer to provide support or for upgraded package of the extension.
  • You can follow Magento guide to make the necessary changes in 3rd party extensions and custom development or even Ask Us to make any extensions compatible with SUPEE 6788.

8. If you are sure, and verified those, you are free to enable the Secured Admin routing by going System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
9. You can then test the patch installation by going https://www.magereport.com/

SUPEE 6788 without SSH

As a part to help Magento community for the easiest way to apply patches, we were releasing pre patched files for all the patches till now. We have also released pre patched files for SUPEE 6788 to install it using FTP.
1. Please take backup of all the original files before replacing pre patched files in Magento installation.
2. Make sure Compilation is disabled on your Magento store.
Here are the Pre Patched files

Download the zip file for the patch installation. You can also download these Pre Patched files from GitHub.

Don’t forget to follow 6,7,8 steps from the above method.

Note: SUPEE 6788 for Magento CE 1.6.x and earlier(CE 1.5.x, 1.4.x and may be 1.3.x) versions is likely to be launched a week after this release.

[bctt tweet=”Install SUPEE 6788 with or without SSH”]

FAQs:

[expand title=”1) Patch 6788 is installed but MageReport disagrees?“]

[/expand]

[expand title=”2) Have simple blocks of content disappeared after installing SUPEE-6788?“]

If you have simple grid of products that are pulled in via their category ID like
{{block type=”catalog/product_list” column_count=”4″ category_id=”23″ template=”catalog/product/list.phtml”}}
You might be noticed that each site was totally blank in the area where a block like the above was referenced.

What you will need to do is, you will now need to specifically give permission to that block in order for it to appear. You can do this by going System -> Permissions -> Blocks and putting in the name of the block like so “catalog/product_list”
Then they all started appearing just fine.

[/expand]

[expand title=”3)No changes to source files after applying SUPEE 6788? If I do a git status after applying the patch none of the files appear to have changed?”]

If .htaccess fails to be patched than the entire patch is not installed. Hence why git was seeing no changes. Try overwriting the .htaccess with the original and then apply the patch.

[/expand]

[expand title=”4) Getting this error while applying SUPEE 6788 1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php.rej”]

Possible reason of this error, is not installation of previous patches. Make sure you have installed all the previous patches before installing SUPEE 6788.

[/expand]

Leave a comment if you are facing any issue.

Security-patch-installation-service

Previous Article

Guruincsite Magento Malware Removal Guide

Next Article

How to Install Magento 2

View Comments (75)
    1. Hello @Hristina

      Magento hasn’t released patch yet for prior version then Magento 1.7. We will have to wait for it to release pre patched files.
      However I would suggest to upgrade your Magento store to latest for all the security patches installed till now.

  1. I intalled the 6788 patch files in 1.9.2.1 magento version and my website got this error.

    Fatal error: Class ‘Zend_Xml_Security’ not found in /opt/lampp/htdocs/terrnew/lib/Zend/Locale/Data.php on line 160
    PLease help me out.

      1. Yes I have this file. And also Issue is fixed and alos I installed the files successfully. There is compliation problem, I remain enable. Thanks for helping me with these patch files. 🙂

  2. My installation is 1.9.1.0 – however I have applied all previous patches. Do I still carry on with the 6788 patch for 1.9.1.0, or has applying the previous patches upgraded my version?

    1. Hello James,

      You have 2 options,
      1. Install the SUPEE 6788 for your Magento version
      2. Upgrade your Magento version to latest 1.9.2.2 which includes all previous patches and latest SUPEE 6788.

        1. Hello James,
          I would suggest to contact any Professional Magento Developer or even Contact Us for the Magento upgrade as Magento 1.9.2.2 can affect on your 3rd party extensions and custom developments so you may face lot of issues.

  3. I installed the 6788 patch files in 1.8.1.0 magento version and my website got this error.

    home page disappear…
    There has been an error processing your request
    Exception printing is disabled by default for security reasons.

    AND
    a:5:{i:0;s:248:”SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘.`value)` = ‘0’) AND (`start_time` = ‘2015-10-‘ at line 2″;i:1;s:5469:”#0 /home/…/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)

    How can I do?

    Thanks

  4. When I have install this patch then this code in CMS page “{{block type=”catalog/navigation” name=”catalog.category” template=”catalog/category/list.phtml” }}” is not working but if I change type to “Core/template” then working can you help me regarding this issue.

    1. Hello Parshant,
      I don’t find anything related to catalog/navigation in SUPEE 6788 patch. Still we will look for such issue if anyone face after patch installation.
      Meanwhile you can contact us for help.

  5. I am having the same problem .. after performing the update regarding the message received in magento on SUPEE-6788 I realized the update however my homepage no longer appears Products!
    What should I do to solve this problem?

  6. First, thank you for the article, but, I am running the SUPEE 6788 Check file on my Magento installation locally and it founds SQL injections within the call of addFieldToFilter() method, even though my calls are same as per this http://magento.com/security/patches/supee-6788-technical-details
    The following code: $collection->addFieldToFilter(‘`field`’, array(‘eq’=>3)); I don’t have calls like this one.
    Should be changed with: $collection->addFieldToFilter(‘field’, array(‘eq’=>3)); which I already have on all of my calls. Is it that the check file could be wrong in the search?

    1. Hello Zoran,
      You will need to change the collection $collection->addFieldToFilter(‘`field`’, array(‘eq’=>3)); to $collection->addFieldToFilter(‘field’, array(‘eq’=>3));

      1. Thanks, but I don’t see the difference between the two examples you have added. Maybe it’s the formatting of the comments? All of my addFieldToFilter calls are using only single quotes (‘)

  7. Please don’t make users download patches directly from your site. You are not e reliable source of information or patches. Patches and releases MUST be only downloaded from official sites and not from sites claiming help. You are one small hack away from infecting all the users downloading info from here and blindly inserting it into their stores

    1. Hi, We understand your concern and that’s why we have moved the Pre Patched files to Github. So users can download the patches from there. Thank you for your precious suggestion.

  8. When I have install this patch then this code in CMS page “{{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}}” it is not working it is showing empty page.Before it has worked fine and showed the form which I had created in donorform.phtml file.

  9. After Installing this patch the content in the CMS page {{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}} is not working before installing this patch it has worked fine.Please solve my problem.

  10. But core/template blocks are supported by default, why would something like {{block type=’core/template’ name=’tools’ template=’tools/donorform.phtml’}} not work?

  11. Hi

    “system->permissions->block” page showing me as a blank page.
    Could you please help me to fix this issue?

  12. I am very concerned about this security patch. Correct me if I’m wrong, but won’t the suggested route substitution method cause a lot of modules controllers to conflict? I mean, currently all modules use their own frontname, and now we are supposed to put everything under the admin frontname. Wouldn’t it be easier/better/safer to change Magento to treat routes declared with admin differently?

    1. As i have seen your query, this patch doesn’t reflect on front side, it affects only in backend urls. Suppose your third party extension has configuration and save update delete your data in admin panel, you will just need to redirect like admin url. Nothing to change in frontend.

  13. I run the patch file using putty and have the following messages listed below. My question then is it the patch applied or not yet? since when i go to admin still have no effect. CE version 1.9.2.1

    Checking if patch can be applied/reverted successfully…
    ERROR: Patch can’t be applied/reverted successfully.

    patching file .htaccess
    Hunk #1 FAILED at 207.
    1 out of 1 hunk FAILED — saving rejects to file .htaccess.rej
    can’t find file to patch at input line 38
    Perhaps you used the wrong -p or –strip option?
    The text leading up to this was:
    ————————–
    |diff –git .htaccess.sample .htaccess.sample
    |index b8821af..383313a 100644
    |— .htaccess.sample
    |+++ .htaccess.sample
    ————————–
    File to patch:
    Skip this patch? [y]
    Skipping patch.
    1 out of 1 hunk ignored
    patching file app/code/core/Mage/Admin/Model/Block.php
    patching file app/code/core/Mage/Admin/Model/Resource/Block.php
    patching file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
    patching file app/code/core/Mage/Admin/Model/Resource/Variable.php
    patching file app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
    patching file app/code/core/Mage/Admin/Model/Variable.php
    patching file app/code/core/Mage/Admin/etc/config.xml
    patching file app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.p hp
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form. php
    patching file app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php
    patching file app/code/core/Mage/Adminhtml/controllers/Permissions/BlockControll er.php
    patching file app/code/core/Mage/Adminhtml/controllers/Permissions/VariableContr oller.php
    patching file app/code/core/Mage/Adminhtml/etc/adminhtml.xml
    patching file app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php
    patching file app/code/core/Mage/Core/Controller/Front/Action.php
    patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
    patching file app/code/core/Mage/Core/Helper/UnserializeArray.php
    patching file app/code/core/Mage/Core/Model/Email/Template/Filter.php
    patching file app/code/core/Mage/Core/Model/Resource/Setup.php
    patching file app/code/core/Mage/Core/etc/config.xml
    patching file app/code/core/Mage/Core/etc/system.xml
    patching file app/code/core/Mage/Customer/Block/Account/Changeforgotten.php
    patching file app/code/core/Mage/Customer/Block/Account/Resetpassword.php
    patching file app/code/core/Mage/Customer/controllers/AccountController.php
    patching file app/code/core/Mage/Downloadable/Model/Product/Type.php
    patching file app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php
    patching file app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
    patching file app/code/core/Mage/Sales/controllers/DownloadController.php
    patching file app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php
    patching file app/design/adminhtml/default/default/layout/admin.xml
    patching file app/design/frontend/base/default/layout/customer.xml
    patching file app/design/frontend/base/default/template/customer/form/register.p html
    patching file app/design/frontend/base/default/template/customer/form/resetforgo ttenpassword.phtml
    patching file app/design/frontend/base/default/template/persistent/customer/form /register.phtml
    patching file app/design/frontend/default/iphone/layout/customer.xml
    patching file app/design/frontend/default/modern/layout/customer.xml
    patching file app/design/frontend/rwd/default/layout/customer.xml
    patching file app/design/frontend/rwd/default/template/customer/form/resetforgot tenpassword.phtml
    patching file app/design/frontend/rwd/default/template/persistent/customer/form/ register.phtml
    patching file cron.php
    patching file dev/tests/functional/.htaccess
    patching file errors/processor.php
    patching file lib/Unserialize/Parser.php
    patching file lib/Unserialize/Reader/Arr.php
    patching file lib/Unserialize/Reader/ArrKey.php
    patching file lib/Unserialize/Reader/ArrValue.php
    patching file lib/Unserialize/Reader/Bool.php
    patching file lib/Unserialize/Reader/Dbl.php
    patching file lib/Unserialize/Reader/Int.php
    patching file lib/Unserialize/Reader/Str.php
    patching file lib/Varien/Data/Collection/Db.php
    patching file lib/Zend/Xml/Security.php

    please help and info what has been causing the patch seem have no effect.

  14. Hi,

    thanks for the great post. After installing version for 1.9.0.1 customer reset form and cron don’t work.

    It seems to me that your update package for this vesion is not fully correct. For example there is a method ‘$customer->cleanPasswordsValidationData();’ in app/code/core/Mage/Customer/controllers/AccountController.php that is not added through the original SSH file for the same version. Also, this method doesn’t exist on Customer model in this version of Magento.

  15. After install SUPEE-6788 patch, I am getting blank page on System > Permissions > Blocks
    also, in home page, featured products, new products bloc are not working. {{block type=”catalog/product_list”
    category_id=”46″ template=”catalog/product/list.phtml”}} any help me?? catalog product is blank page.. not see any product… nay .. help me..? please? my magento is 1.9.0.1

    1. You will need to check the blocks you have used, and give permissions to them. If you are a developer, you can find those from CMS > Pages and phtml files.

    2. You will need to find the perfect block you are using display products and allow them permission,
      Here are some common we get,

      bannerslider/bannerslider
      catalog/product_list
      newsletter/subscribe
      customer/newsletter

      ultimo/product_list_featured
      catalog/product_new
      cms/block
      ultimo/navigation

  16. Lukas Kozlowski

    Hello Magecomp,
    we installed this patch carefully without SSH and tested it on: https://www.magereport.com/scan/?s=http://magento.robbeberking.info/ which tells me that we patched it correctly. But when I test it with the patch tester from magentary: https://magentary.com/magento-security-patch-tester/ it says that it is still vulnerable to SUPEE-6788 could you please advice me in which criterea the test is failing right now for the domain magento.robbeberking.info ? Thanks for your time.
    The magento version that we are using is: 1.7.0.2

      1. Lukas Kozlowski

        Done that two times already. They dind’t respond that is why I tried to post the issue here.
        I thought that it is maybe common. Anyways thanks for your reply and your time.

        1. I see 🙂 Don’t worry. We and Magento generally recommends to check at magereport. If it showing ok then no need to worry.
          Have a nice day.!

  17. Controller file was loaded but class does not exist

    Hi,

    After run 6788 patch, if i go to Admin -> System -> Permission -> Blocks

    below error came

    a:5:{i:0;s:51:”Controller file was loaded but class does not exist”;i:1;s:941:”#0 app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(340): Mage::exception(‘Mage_Core’, ‘Controller file…’)

    Please help me

  18. Hello I try to install the PATCH_SUPEE-6788 via SSH on magento version 1.9.2.1, but on step 5 I can’t understand what actually I have to do. I try to change the version of magento 1.9.2.1 to 1.8.2.1 and the command was as -> sh PATCH_SUPEE-6788_CE_1.8.2.1_v1-2015-10-26-11-59-27.sh, but it tells me that this is unknown file or something like this, where I got wrong?

    1. You need to to add 1.8 for this command only, patch (.sh) file, you need to download and run as per your Magento version.
      sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh

  19. Moreover I try the without SSH method, but after I upload the prepatched files, this problem appeared:
    Forbidden

    You don’t have permission to access / on this server.
    Server unable to read htaccess file, denying access to be safe

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

  20. Hello MageComp,
    I have a problem during installation of the SUPEE 6788. First I try install it with SSH connection, but on step 5, I couldn’t understand, what I have to do actually just change the name of the version. I do this as write instead of 1.9.2.1, 1.8.2.1, that what I understand from the instructions. But it tells me unknown file or something like that. After that I try without SSH but after I paste the prepatched files, some wrong appear as:

    Forbidden

    You don’t have permission to access / on this server.
    Server unable to read htaccess file, denying access to be safe

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    What I have to do and where I made the mistake?

  21. Hi, when I write a comment here, after that it disappear, so I can’t read your answer, I refresh the page multiple times and the last commend that I see is from 28th of January this year. Why is that?

  22. Only when I post a comment I see what you answer to me.
    What did you mean I have to add 1.8 for the command, where to add to change the version of magento or what?
    I try to install the patch multiple times but nothing happens, I try with.
    Can you please explain to me in details? My version of magento is 1.9.2.1 and I download the patch for this version, after that when I make the SSH I find the directory in the server where the file is, and than type
    sh PATCH_SUPEE-6788_CE_1.9.2.1_v1-2015-10-26-11-38-41 and the problem appear -> a lot of lines of code and last line -> 4 out of 4 hunks ignored
    rename the file as 1.9.2.1-> 1.8.2.1 and the command looks like this sh PATCH_SUPEE-6788_CE_1.8.2.1_v1-2015-10-26-11-38-41, and again the same problem ->
    4 out of 4 hunks ignored
    So where to add 1.8 maybe I can’t understand please help…

    1. 1. Make sure you have installed all the previous patches.
      2. Follow this
      mv .htaccess .htaccess_original
      wget -qO .htaccess http://svn.magentocommerce.com/source/branches/1.8/.htaccess
      wget -qO .htaccess.sample http://svn.magentocommerce.com/source/branches/1.8/.htaccess.sample
      sh PATCH_SUPEE-6788_CE_1.9.2.1_v1-2015-10-26-11-59-27.sh
      mv .htaccess .htaccess_patched
      mv .htaccess_original .htaccess

      3. If you are getting hunks ignored error, that means patch files are unable to find the correct line and code in your Magento. You need to note those files and replace those files with the default Magento 1.9.2.1, then again install the patches.
      This will work 🙂

  23. I had created plugin for Magento 1.8 but in Magento 1.9.0.0 it is not working.Please help me.

    1. If you see there about page FAQ, you will find, they say if it is showing grey, in that case the patch might be installed but the magereport is unable to check.

  24. Hey Magecomp Team,

    Thanks for updation!!!

    Please suggest me.
    What is the reason MageReport unable check??

    1. If you are talking about SUPEE 6788, then you don’t need to install it on Magento 1.9.2.2 as Magento 1.9.2.2 was released for SUPEE 6788 inclusive.

Leave a Comment

Your email address will not be published. Required fields are marked *

Get Connect With Us

Subscribe to our email newsletter to get the latest posts delivered right to your email.
Pure inspiration, zero spam ✨