Magento recently released 2 new patches SUPEE 7405 and SUPEE 7616. In this article I will give you information why you should install SUPEE 7405 and help you install SUPEE 7405 on your Magento 1.x with or without SSH.
Index:
- What is SUPEE 7405 (Bundle Security Patch)
- Install SUPEE-7405 with SSH
- Install SUPEE-7405 without SSH
- FAQs
Contents
SUPEE 7405 (Bundle Security Patch)
SUPEE 7405 is for certain vulnerabilities that can potentially be exploited to steal your customer information or take over administrator sessions. As per the Magento there are no confirmed attacks because of this vulnerability. Please check administrator accounts, unfamiliar files on the server, etc. if your store already been attacked.
The Definitive Guide to install SUPEE 7405 with or Without SSH #magento #security https://t.co/VI8OIivAzJ
— MageComp (@theMageComp) February 18, 2016
Install SUPEE-7405 with SSH
- Download SUPEE 7405 from the Magento official website. Please download the Patch file corresponding to your Magento version.
https://experienceleague.adobe.com/docs/commerce-operations/installation-guide/overview.html - You must have SSH access of your server to install the patch using patch files, if you don’t have you can follow Install SUPEE 7405 without SSH (below method)
- Please disable compiler before installing the patch if enabled, check system > configuration > Tools > Magento Compiler and clear compiled cache.
- Upload the patch in the root directory of your Magento files and Run the patch file by running this command.
Example: sh PATCH_SUPEE-7405_CE_1.9.2.2_v1-2016-01-20-04-35-33.sh1sh patch_file_name.sh - Verify the Magento store functionality and flush the cache. You might need to flush the php opcode cache as well If you use PHP opcode caches (APC/XCache/eAccelerator).
MageReport.com should soon add these patches to check.
Install SUPEE-7405 without SSH
If you don’t have SSH access of your server, this method you can use to install the latest security patches however, it is highly recommended to upgrade your Magento version to 1.9.2.3 which includes all the security patches but in case you are not able to upgrade and you don’t have SSH follow this method.
- Make sure you have installed all the previous patches before installing this one (SUPEE-1533, SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788)
- Disable Magento Compiler from system > configuration > Tools > Magento Compiler if enabled.
- Download the Pre Patched files from Github or from down below and simply upload in the root of Magento.
- Please make sure you keep backup of the files you are replacing.
Magento version SUPEE-7405 Magento 1.9.2.2 SUPEE_7405_Magento_1.9.2.2 Magento 1.9.2.0-1.9.2.1 SUPEE_7405_Magento_1.9.2.1 Magento 1.9.1.0-1.9.1.1 SUPEE_7405_Magento_1.9.1.1 Magento 1.8.1.0 SUPEE_7405_Magento_1.8.1.0 Magento 1.7.0.0-1.7.0.2 SUPEE_7405_Magento_1.7.0.2 ==================================================================================
Magento version SUPEE-7405 v 1.1 Magento 1.9.2.3 SUPEE_7405_v1.1_Magento_1.9.2.3 Magento 1.9.2.2 SUPEE_7405_v1.1_Magento_1.9.2.2 Magento 1.9.2.1 SUPEE_7405_v1.1_Magento_1.9.2.1 Magento 1.9.1.1 SUPEE_7405_v1.1_Magento_1.9.1.1 Magento 1.8.1.0 SUPEE_7405_v1.1_Magento_1.8.1.0 Magento 1.7.0.2 SUPEE_7405_v1.1_Magento_1.7.0.2 Magento 1.6.2.0 SUPEE_7405_v1.1_Magento_1.6.2.0 ==================================================================================
- Clear the cache and run compiler (if it was enabled before). You might need to flush the php opcode cache as well If you use PHP opcode caches (APC/XCache/eAccelerator).
- Verify your Magento store functionality. MageReport.com should soon add these patches to check.
FAQs
[expand title=”1) Unable to login to the backend after the patch: Invalid form key error.“] Try to Flush your browser cookies and cache and delete the var/session files from Magento files.[/expand] [expand title=”2) Admin order view page showing blank / broken screen“]
a) You can try this solution, hope it should help.
go to app/code/core/Mage/Adminhtml/Helper/Sales.php,
In the class Mage_Adminhtml_Helper_Sales around line number 124. The code is:
$links = [];
Change it to
$links = array();
b) One possible reason we came to know is lower then 5.4 PHP version. Ask your host to upgrade your PHP version and check.
[/expand]
[expand title=”3) SOAP API URL /index.php/api/v2_soap/index/?wsdl=1 throws a 500 error“]
Bug Report has been created, we will have to wait for the response from Magento.
[/expand]
[expand title=”4) Patch is not compatible with lower version then PHP 5.4“]
You can try this solution, hope it should help.
In the class Mage_Adminhtml_Helper_Sales around line number 124. The code is:
$links = [];
Change it to
$links = array();
[/expand]
Do leave a comment if you are facing any issue. We would love to help you out.
You can use our extension Applied Patches to check whether the patch has been installed or not. Magento Applied Patches
If you need help installing any other security patches, checkout our Ultimate Guide for Installing Magento Security Patches.
Happy Patching :))
My magento version 1.9.0.1, which is for my version?
Thanks
Try 1.9.1.1 patch, if not please get your Magento version upgraded to latest.
After installing the patch I am not able to see products in home page. I can see header and footer though! Also all the other pages are working just fine. Any suggestions?
Please check you have added the static blocks permissions.
I’m having crazy issues on checkout page – it kicks the client out of the checkout:
500 Server error on /checkout/onepage/progress/?toStep=shipping_method
sometimes on billing too.
The issue is intermittent, sometimes it shows up, sometimes not.
SUPEE 7405 I have applied both 1.0 and 1.1 via FTP(direct file upload), but the issue with checkout still persists!
Please help!
PS: Both MCRYPT,MBSTRING and SOAP are enabled on the server. I’m running PHP 5.4.45 with APC 3.1.13 on 1230 Intel CPU, 16GB of RAM, 2TB Drives
Update:
Chrome Console spits this out:
prototype.js:1530 POST /checkout/onepage/saveBilling/ 500 (Internal Server Error)
Ajax.Request.Class.create.request @ prototype.js:1530 Ajax.Request.Class.create.initialize @ prototype.js:1495 (anonymous function) @ prototype.js:429 klass @ prototype.js:101Billing.save @ /skin/frontend/base/default/js/opcheckout.js:313 onclick @ /checkout/onepage/:679
UPDATE: Apache Logs have these types of errors:
24.87.30.186 – – [21/Apr/2016:16:13:43 -0700] “POST /checkout/onepage/saveBilling/ HTTP/1.1” 500 – “https://www.example.com/checkout/onepage/” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36”
216.129.65.170 – – [21/Apr/2016:16:08:00 -0700] “GET /checkout/onepage/progress/?toStep=payment HTTP/1.1” 500 461 “https://www.example.com/checkout/onepage/” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36”
216.129.65.170 – – [21/Apr/2016:16:08:00 -0700] “GET /checkout/onepage/progress/?toStep=payment HTTP/1.1” 500 461 “https://www.example.com/checkout/onepage/” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36”
Please contact us and our technical support team will help you further.
Hi, having the same Error Message. Could you solve this issue?
[Mon Apr 18 12:26:35.798979 2016] [:error] [pid 27208] [client 207.46.13.143:15409] PHP Warning: include_once(): Failed opening ‘/var/www/store/includes/src/Varien_Autoload.php’ for inclusion (include_path=’/var/www/store/includes/src:.:/usr/share/php:/usr/share/pear’) in /var/www/outlet/app/Mage.php on line 37
[Mon Apr 18 12:26:35.798996 2016] [:error] [pid 27208] [client 207.46.13.143:15409] PHP Fatal error: Class ‘Varien_Autoload’ not found in /var/www/store/app/Mage.php on line 54
Solution:
via the console/ssh you can use
$ php -f shell/compiler.php — disable
$ php -f shell/compiler.php — clear
$ php -f shell/compiler.php — compile
$ php -f shell/compiler.php — enable
might need the fourth line…not sure.
Credits
http://magento.stackexchange.com/questions/68010/error-after-successfull-patch-supee-5994-class-mage-install-controller-router
Hi, please, it is possible that you give me SUPEE-7405 without SSH for Magento 1.6.0.
Thanks
about SUPEE-7405 Security Patch …
do i have to upgrade my magento CE 1.9.2.2 to 1.9.2.3 or not ?
if yes? how can i upgrade that. i hting because of that i cant patch SUPEE 7405 security patch…..
can you help me
Hello Kurt,
It is not advisable to upgrade the Magento version by yourself because there are 60-80% chances of getting error which needs to be solved.
Contact us and our technical support team will be happy to help you with you it,
My magento version was 1.9.1.0 can I use 1.9.1.1 for SUPEE-7405 v1.1 ?
Yes, but make sure you have installed all remaining patches and SUPEE 7405 before version 7405 v 1.1.
thanks
Ok guys I have a question. I Installed SUPEE-7405 V 1.1 and when I logged into my admin all of my orders where gone but one. Why that one was there I have no clue. NOW…. when I installed the first version of this security patch I edited the Uploader.php file in the lib/Varien/File path. (This was the only file I messed with from the earlier version of patch 7405.)
I changed this code on line 219 from:
chmod($destinationFile, 0640);
to this
chmod($destinationFile, 0666);
Before installing this new version I didn’t add the original file back. Should I do that first and make it say 640 again? Just don’t know why that would make a difference in my orders showing or not showing since this file deals with images and the uploading of them. Any ways I thought I would pick your brains first before trying other methods. As all ways you guys do a killer job here and thanks fore everything. Cheers!
Shawn
Hello Shawn,
Make sure you have installed the SUPEE 7405 correctly and then it’s 1.1 version.
Order blank page issue and image uploading issue sorted out in 1.1 version of 7405.
Your issue seems little odd, you are able to see one order as much as i can understand from your comment,
There shouldn’t be such issue with the patch installation.
Still try to remember, if you have done any other changes or contact us, our technical support team can help you to debug the issue.
Thank you
Magecomp,
Well I tried it again this morning and everything worked fine after installing the patch. Not sure what it was before hand but all is good. So once again thanks for everything! Cheers
File for supee7405 v1.1 / magento 1.8.1.0 ?
Thanks !
I installed it by doing without ssh(ftp), but cant check if it installed successfully…
I test it with some extensions like appliedpatches or the same with philwinkle but it shows only 1.9.2.3…
no patch informations.
How can I be sure that is all ok ?
Hello Schmidt,
If you install the patch, that doesn’t mean Magento version will be changed. If you have installed Patch using FTP, you won’t be able to verify it with any extension like you mentioned. Did you check in https://www.magereport.com/?
Please install SUPEE 7405 v 1.1 after older SUPEE 7405.
the patch SUPEE_7405_v 1.1 is stable?
Yes it is, 🙂
Magecomp,
It seems that there is a new version of SUPEE 7405 out. Looks like it is supposed to address the issues with upload file permissions, merging carts and SOAP APIs that we all have experienced with the original release. Have you heard anything about this yet?
https://community.magento.com/t5/Security-Patches/after-installing-SUPEE-7405-can-no-longer-add-or-change-images/td-p/26785/page/4
I saw it from the community manager Sherrie at the link above. Thought I would just ask and also inform if you haven’t heard about it yet.
Hello Shawn,
Yes we received newsletter email from Magento.
Thank you BTW 🙂
Magecomp,
No, Thank you for everything you do.
Hello Magecomp,
I have done change in Sales.php according to you and checked developer mode in index.php that is already true.
What else i can do.
Thanks
Please Contact us for more help.
Hello,
I have applied security patch up 7405 and now admin panel not working it show me blank page after enter credential.
Please can you tell me that what i need to do .
Thanks
Please check your PHP version, we have added FAQ already for other possible solution you can go with it.
If you still face issue, you can contact us anytime and our technical support team will be happy to assist you,. 🙂
Hello Magecomp,
Thanks for your fast reply,
I checked already and my php version is 5.4.28
Please tell me what can be another issue.
Thanks
You can try this solution, hope it should help.
go to app/code/core/Mage/Adminhtml/Helper/Sales.php,
In the class Mage_Adminhtml_Helper_Sales around line number 124. The code is:
$links = [];
Change it to
$links = array();
If this also don’t solve your issue, please enable developer mode from index.php and look for the error or contact us.
Please, it is possible that you give me SUPEE-7405 without SSH for Magento 1.6.2
Please contact us at support@magecomp.com.
Having issues with image permissions now – when uploading images, they are being defaulted to 640 permissions – any thoughts?
Hello James,
We came to know that somebody has already reported this error to Magento. Let’s wait.
Hey, nice tutorial but is there also a prepatched version available for 1.8.0.0?
You can try installing the pre patched files of 1.8.1.0
Hi,
after uploading SUPEE 7405 without ssh, I go to admin url and see this error.
Fatal error: Call to a member function getUsername() on a non-object in /app/design/adminhtml/default/default/template/page/header.phtml on line 33
Please can you help me?
Please contact our technical support team to help you out.
Checking if patch can be applied/reverted successfully…
ERROR: Patch can’t be applied/reverted successfully.
patching file app/code/core/Mage/Admin/Model/Observer.php
patching file app/code/core/Mage/Admin/Model/Redirectpolicy.php
patching file app/code/core/Mage/Admin/Model/Resource/User.php
patching file app/code/core/Mage/Admin/Model/User.php
patching file app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php
patching file app/code/core/Mage/Adminhtml/Block/Widget/Grid.php
patching file app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php
patching file app/code/core/Mage/Adminhtml/Helper/Sales.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/File.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image/Favicon.php
patching file app/code/core/Mage/Adminhtml/controllers/IndexController.php
patching file app/code/core/Mage/Authorizenet/Helper/Admin.php
patching file app/code/core/Mage/Authorizenet/Helper/Data.php
patching file app/code/core/Mage/Authorizenet/controllers/Adminhtml/Authorizenet/Directpost/PaymentController.php
patching file app/code/core/Mage/Captcha/etc/config.xml
patching file app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php
patching file app/code/core/Mage/Catalog/Model/Category/Attribute/Backend/Image.php
patching file app/code/core/Mage/Catalog/Model/Resource/Product/Attribute/Backend/Image.php
patching file app/code/core/Mage/CatalogIndex/etc/config.xml
patching file app/code/core/Mage/CatalogInventory/Helper/Minsaleqty.php
patching file app/code/core/Mage/Checkout/Block/Cart/Item/Renderer.php
patching file app/code/core/Mage/Checkout/controllers/CartController.php
patching file app/code/core/Mage/Checkout/controllers/OnepageController.php
patching file app/code/core/Mage/Core/Helper/Data.php
patching file app/code/core/Mage/Core/Model/App.php
patching file app/code/core/Mage/Core/Model/Config.php
patching file app/code/core/Mage/Core/Model/Email/Queue.php
Hunk #1 succeeded at 234 (offset -5 lines).
patching file app/code/core/Mage/Core/Model/Email/Template/Filter.php
Hunk #1 FAILED at 171.
Hunk #2 succeeded at 182 (offset -10 lines).
1 out of 2 hunks FAILED — saving rejects to file app/code/core/Mage/Core/Model/Email/Template/Filter.php.rej
patching file app/code/core/Mage/Core/Model/File/Validator/Image.php
patching file app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
patching file app/code/core/Mage/Core/Model/Session.php
patching file app/code/core/Mage/Customer/controllers/AccountController.php
Hunk #1 succeeded at 65 (offset -3 lines).
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/Downloadable/controllers/CustomerController.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Abstract.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Import/Entity/Abstract.php
patching file app/code/core/Mage/ImportExport/etc/config.xml
patching file app/code/core/Mage/ImportExport/etc/system.xml
patching file app/code/core/Mage/Newsletter/Model/Observer.php
patching file app/code/core/Mage/Newsletter/Model/Queue.php
patching file app/code/core/Mage/Page/etc/system.xml
patching file app/code/core/Mage/Paypal/controllers/PayflowController.php
patching file app/code/core/Mage/Paypal/controllers/PayflowadvancedController.php
patching file app/code/core/Mage/Paypal/etc/config.xml
patching file app/code/core/Mage/Persistent/etc/config.xml
patching file app/code/core/Mage/Review/controllers/ProductController.php
patching file app/code/core/Mage/Rss/Block/Catalog/Salesrule.php
patching file app/code/core/Mage/Rss/Helper/Order.php
patching file app/code/core/Mage/Sales/Helper/Guest.php
patching file app/code/core/Mage/Sales/Model/Quote/Address.php
patching file app/code/core/Mage/Sales/Model/Quote/Item.php
patching file app/code/core/Zend/Xml/Security.php
patching file app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/catalog/product/composite/fieldset/options/type/file.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/invoice/name.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/name.phtml
patching file app/design/adminhtml/default/default/template/sales/items/column/name.phtml
patching file app/design/adminhtml/default/default/template/sales/items/renderer/default.phtml
patching file app/design/adminhtml/default/default/template/sales/order/totals/discount.phtml
patching file app/design/adminhtml/default/default/template/sales/order/view/info.phtml
patching file app/design/frontend/base/default/template/catalog/product/view/options/type/file.phtml
patching file app/design/frontend/base/default/template/rss/order/details.phtml
patching file lib/Varien/File/Uploader.php
patching file lib/Varien/Io/File.php
Done
There are 2 files which you should download and upload from the github as per your Magento version.
app/code/core/Mage/Core/Model/Email/Queue.php
app/code/core/Mage/Core/Model/Email/Template/Filter.php
I get this exact error. I replaced the two files mentioned with the files from github, and then get a fatal error:
“Fatal error: Call to a member function isPathAllowed() on a non-object in …/app/code/core/Mage/Core/Model/Email/Template/Filter.php on line 481”
Line 481 content is: “if (isset($params[‘path’]) && $this->_permissionVariable->isPathAllowed($params[‘path’])) {”
any thoughts?
Please contact us to check the issue for you.
I got same issue even we replaced both files (below), which you mentioned.
app/code/core/Mage/Core/Model/Email/Queue.php
app/code/core/Mage/Core/Model/Email/Template/Filter.php
Could you please let me know what else I missed to fix the issue and get success with with this patch applied into our site?
Thanks in advance!
Best,
Subbu.
Did you download the files according to your Magento version because if you have downloaded from Github Magento 1.9 then it would come of 1.9.2.3 which is already patched files. So using SSH you won’t be able to patch those files and will show error.
has there been any update with the blank orders in the admin section? Unable to refund customers due to this.
Please check FAQ,
Will you please check your PHP version if it is lower then 5.4, ask hosting guys to upgrade.
Try this one as well
Change line 124 in app/code/core/Mage/Adminhtml/Helper/Sales.php from $links = []; to $links = array();:
Hey guys,
thanks for the update on what PHP version we need to be running on. Looks like we are sitting at 5.3.xx so its off to talk to our host. Cheers!
Glad to hear 🙂 Lot of customers were facing issue due to lower PHP version. All are advised to upgrade it.
Hi
After installation of patch 7405 , I have an error . that is
ERROR: Patch can’t be applied/reverted successfully.
Help me to solve this.
Thanks
Can you send us whole error to help you with
I need non-ssh patch files for 1.9.0.1.
Please let me know if you have it as zip.
Thank you
It has already been published.
I need the link for the zip file with the non-ssh patch files for 1.9.0.1
Install the package of 1.9.1.0
Tried to apply the 7405 patch for my magento 1.9.2.1 and when I log in to admin panel I get a sever error 500 message. Need help sorting this?
Thanks
Glad to hear that you have sorted out the issue, please share the solution with us so that any other community member can get help.
Thank you
Installed the patch without SSH Access. Now when I click view cart I get “There has been an error processing your request” and the same thing when I am in checkout. If I click on “Ship to this address” and choose an address from my address book in the checkout process I get the same error as before, if I click on “Ship to different address” I do not get the error.
I have cleared all cache in the backend. Please help. Thank you.
So I did some more poking around and it seems like it is more of an issue with the USPS update. If I disable USPS from my shipping options, I no longer have the issue.
Do I need to contact USPS about this?
Did you install SUPEE 7616 yet?
Yes I did.
The site started working fine after I disabled then enabled USPS, it worked for 2 days, and now it is giving me the error on Checkout and Cart again. I tried disabling USPS, and then I could get through everything fine. Cart worked, Checkout works. Enabled USPS again and I get the errors.
Can you contact us at support@magecomp.com with the error and the your website details?
Please check the report and send us via support email.
support@magecomp.com
Installed SUPEE-7405 and everything worked find but the order view page. Guessing as you said they will come out with a fix… so until then and to do restore from a backup and will just wait till I see a fix for it. Also thanks for doing this. Makes my life a whole lot easier! Cheers.
You are welcome shawwn 🙂
Keep visiting for more update.
Hello,
After installing the patch 7405, I have a blank page if I choose some order details.
Please read FAQs section.
It is common issue, and Magento have been notified for it. They must be working.
Does it have a solution? I’ve faced the same problem.
Please install the SUPEE 7405 v1.1 patch and your issue should be sorted out.
We have version Magento ver. 1.9.1.0
Do I use the download for 1.9.1.1?
Updated the blog 🙂
How about non-ssh patch files for 1.9.1.0? Can I use the 1.9.1.1 files?
Updated the blog 🙂
Please, it is posible you give me SUPEE-7405 without SSH for Magento 1.7.0.2
Thanks
Hello Luis
We are working on it
Thanks
after i install 7405. and i cant open backend and there is a 500 error。
Please contact our technical support team for help. It doesn’t seem to be common, but let us find the issue if we face.