Magento just released SUPEE 6788 to address 10 vulnerabilities for Remote Code Execution and Personal information leak issues. Please note this patch is not related to Guruincsite malware (neutrino exploit) issue. It is advisable to install and try patch in development server first before installing It in live website as SUPEE 6788 may affect to 3rd party extensions and custom development you have done in Magento.
You can install the latest patch by upgrading your Magento version to the latest 1.9.2.2.
SUPEE 6788 with SSH
Please note before Proceeding,
- Check if your theme has a custom customer/form/register.phtml or custom persistent/customer/form/register.phtml. If this is the case, make sure that it includes a form_key.
- Do you use non-standard variables in CMS pages, static blocks or email templates? They need to be whitelisted. See FAQ Section of this blog for how to.
- Do you run the Magento cron through HTTP? Are you using Apache? There is a new access control on cron.php, so you should change the .htaccess to include your local IP. You can use cron.sh and If this is not possible, at least make sure that you call cron.php via CLI PHP.
- Make sure that all your extensions use the “new” admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at SUPEE 6788 Resources Section of this blog.
Steps
1. You should have SSH access of your server to install the patch on your Magento website.
2. If you are ready with SSH access, then follow these steps to prepare your Magento for the Patch installation
- Make sure Complier has been disabled on your Magento store by going SYSTEM > CONFIGURATION > TOOLS > COMPILATION
- Verify your Magento version either from backend footer in admin.
3. Download the security patch from official website of Magento for the version of Magento you are using.
https://www.magentocommerce.com/products/downloads/magento/
4. Upload the patch in the root directory of Magento using Cpanel or FTP.
5. Connect your server using SSH and go to the root where Magento is installed. Run the patch command as following.
Change the Magento version in the command as per your Magento version. If you are using Magento 1.9 then you might face hunk failed issue, so you can use 1.8 in command.
mv .htaccess .htaccess_original wget -qO .htaccess http://svn.magentocommerce.com/source/branches/1.8/.htaccess wget -qO .htaccess.sample http://svn.magentocommerce.com/source/branches/1.8/.htaccess.sample sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh mv .htaccess .htaccess_patched mv .htaccess_original .htaccess
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Please clear the cache manually or using this command, sometimes installed patch doesn’t show up. Go to var folder in SSH and run
rm -rf cache/
6. If you have followed above commands then make sure to add following code at the bottom in your .htaccess file manually.
########################################### ## Deny access to cron.php <Files cron.php> ############################################ ## uncomment next lines to enable cron access with base HTTP authorization ## http://httpd.apache.org/docs/2.2/howto/auth.html ## ## Warning: .htpasswd file should be placed somewhere not accessible from the web. ## This is so that folks cannot download the password file. ## For example, if your documents are served out of /usr/local/apache/htdocs ## you might want to put the password file(s) in /usr/local/apache/. #AuthName "Cron auth" #AuthUserFile ../.htpasswd #AuthType basic #Require valid-user ############################################ Order allow,deny Deny from all </Files>
7. Secured Admin routing for extensions must be disabled by default, Make you have made all the related changes for the 3rd party extension and custom development in Magento.
- You can uninstall unusual 3rd party extensions.
- You can ask to the extension developer to provide support or for upgraded package of the extension.
- You can follow Magento guide to make the necessary changes in 3rd party extensions and custom development or even Ask Us to make any extensions compatible with SUPEE 6788.
8. If you are sure, and verified those, you are free to enable the Secured Admin routing by going System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
9. You can then test the patch installation by going https://www.magereport.com/
SUPEE 6788 without SSH
As a part to help Magento community for the easiest way to apply patches, we were releasing pre patched files for all the patches till now. We have also released pre patched files for SUPEE 6788 to install it using FTP.
1. Please take backup of all the original files before replacing pre patched files in Magento installation.
2. Make sure Compilation is disabled on your Magento store.
Here are the Pre Patched files
Download the zip file for the patch installation. You can also download these Pre Patched files from GitHub.
| Magento version | SUPEE-6788 |
| Magento 1.9.2.1 | SUPEE_6788_Magento_1.9.2.1 |
| Magento 1.9.2.0 | SUPEE_6788_Magento_1.9.2.0 |
| Magento 1.9.1.1 | SUPEE_6788_Magento_1.9.1.1 |
| Magento 1.9.1.0 | SUPEE_6788_Magento_1.9.1.0 – Updated! |
| Magento 1.9.0.1 | SUPEE_6788_Magento_1.9.0.1 |
| Magento 1.9.0.0 | SUPEE_6788_Magento_1.9.0.0 |
| Magento 1.8.0.0 | SUPEE_6788_Magento_1.8.0.0 |
| Magento 1.8.1.0 | SUPEE_6788_Magento_1.8.1.0 |
| Magento 1.7.0.0-1.7.0.1 | SUPEE_6788_Magento_1.7.0.0-1.7.0.1 |
| Magento 1.7.0.2 | SUPEE_6788_Magento_1.7.0.2 |
| Magento 1.6.2.0 | SUPEE_6788_Magento_1.6.2.0 |
| Magento 1.6.1.0 | SUPEE_6788_Magento_1.6.1.0 |
| Magento 1.5.1.0 | SUPEE_6788_Magento_1.5.1.0 |
Don’t forget to follow 6,7,8 steps from the above method.
Note: SUPEE 6788 for Magento CE 1.6.x and earlier(CE 1.5.x, 1.4.x and may be 1.3.x) versions is likely to be launched a week after this release.
[bctt tweet=”Install SUPEE 6788 with or without SSH”]
FAQs:
[expand title=”1) Patch 6788 is installed but MageReport disagrees?“]
[/expand]
[expand title=”2) Have simple blocks of content disappeared after installing SUPEE-6788?“]
If you have simple grid of products that are pulled in via their category ID like
{{block type=”catalog/product_list” column_count=”4″ category_id=”23″ template=”catalog/product/list.phtml”}}
You might be noticed that each site was totally blank in the area where a block like the above was referenced.
What you will need to do is, you will now need to specifically give permission to that block in order for it to appear. You can do this by going System -> Permissions -> Blocks and putting in the name of the block like so “catalog/product_list”
Then they all started appearing just fine.
[/expand]
[expand title=”3)No changes to source files after applying SUPEE 6788? If I do a git status after applying the patch none of the files appear to have changed?”]
If .htaccess fails to be patched than the entire patch is not installed. Hence why git was seeing no changes. Try overwriting the .htaccess with the original and then apply the patch.
[/expand]
[expand title=”4) Getting this error while applying SUPEE 6788 1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php.rej”]
Possible reason of this error, is not installation of previous patches. Make sure you have installed all the previous patches before installing SUPEE 6788.
[/expand]
Leave a comment if you are facing any issue.
