Magento 1.x Knowledge Base » Magento Maintenance » How to apply SUPEE-3762 without SSH
Published: September 3, 2015
Last updated:

How to apply SUPEE-3762 without SSH

Tags: ,
August 31, 2015: We are receiving notices about attacks to Magento stores via /index.php/api/v2_soap/index/ URL exploiting issue in Zend Framework used in 1.9.0.0 and 1.9.0.1 versions. Attacks are coming from 178.62.128.0/17 network block (Digitalocean) and user-agent logged as [email protected].
If you run Magento 1.9.0.0 or 1.9.0.1 version it is strongly recommended to apply SUPEE-3762 patch or upgrade to the latest Magento version. If you wish to save time and have us to install these patches for you, simply click here to order installation. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.2.1 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482). If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article. SUPEE-3762 patch can be installed independently, prior to or after installation of other security patches (SUPEE-1533, SUPEE-5344, SUPEE-5994 or SUPEE-6285). The following files are changed by SUPEE-3762:
  • lib/Zend/Soap/Server.php
  • lib/Zend/Xml/Exception.php
  • lib/Zend/Xml/Security.php

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes. Before patching make sure to Disable Magento Compiler if you use it and clear compiled cache. Patched version of these files for Magento 1.9.0.0 and 1.9.0.1 packed into single ZIP archive:
Magento versionSUPEE-3762
Magento 1.9.0.0-1.9.0.1SUPEE-3762-1.9.0.1

If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it (or restart webserver) after patching, otherwise code will continue to run from caches. Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/. Done. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

Posted in: Magento Maintenance

Related Posts

78 votes, 4.81 avg. rating (95% score)