APR 20 2015

How to apply SUPEE-5344 and SUPEE-1533 without SSH

Recently released announce regarding Magento vulnerability disclosed by CheckPoint urges Magento patches SUPEE-1533 and SUPEE-5344 installation. The patches are available for download at MagentoCommerce site:

To test if your store is vulnerable use our Scan your store button in sidebar.

The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to apply SUPEE-5344 and SUPEE-1533 via SSH.

It is still possible to apply these patches even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

Note: Before patching make sure to Disable Magento Compiler if you use it at System > Configuration > Tools > Compilation and clear compiled cache.

Applying Magento patches via FTP/sFTP or FileManager

To apply patches via FTP we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.

Patch SUPEE-1533 (Magento 1.7.x.x- applied to the following files:

  • app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
  • app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Patched version of files for Magento (including, and versions) packed into single ZIP archive: SUPEE-1533.zip. Simply unpack it and replace files on your store by uploading app folder into your Magento root directory.

Patch SUPEE-5344 (Magento 1.8.x.x- applied to the following files:

  • app/code/core/Mage/Admin/Model/Observer.php
  • app/code/core/Mage/Core/Controller/Request/Http.php
  • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
  • app/code/core/Mage/XmlConnect/Model/Observer.php
  • lib/Varien/Db/Adapter/Pdo/Mysql.php

Patched version of these files for Magento 1.8.x.x- packed into single ZIP archive: SUPEE-5344.zip. Simply unpack it and replace files on your store by uploading app/ and lib/ folders into your Magento root.


Patches for other versions ( and earlier)

Older versions are patched in the same way, I have combined downloads for all versions into a single table. The last column contains combined version of both patches to upload both patches at once.

Magento versionSUPEE-5344SUPEE-1533COMBINED (both patches at once)
not prepared (due to low volume)
use official .sh patch file or upgrade to nearest
not prepared (due to high customization rate and overrides possibility)
use official .sh patch file
Magento 1.3
not prepared (due to high customization rate and overrides possibility)
use patch from here

Simply unpack the archive and replace files on your store by uploading app/ and lib/ folders into your Magento root directory.

If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.


Verify that your store have green SAFE status at http://magento.com/security-patch and our patch tester page.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change.


Update: Make sure also to apply the latest SUPEE-5994 and SUPEE-6285.

As there is an exploit in the wild, if your store was not yet patched to the date, the chances are that it is exploited already. Make sure to check list of admin users. You can do it System > Permissions > Users and System > Permissions > Roles in Backend. Make sure to delete any unknown users, especially with emails in example.com domain.
Refer to Recovery after Shoplift vulnerability article for detailed list of actions.

Applying Magento patches via PHP

Upload one of PHP shells to your Magento root subfolder. Sample PHP shells are PHP Shell and phpFileManager. Just upload one of shells to your Magento site, open the shell in browser and run Magento patches in the shell provided just like via SSH.


Applying patches manually (by merging patches with your changes in core files)

Use this way only if you or your developers have changed core Magento files that need to be patched. Apply the changes from the diffs below line by line editing all files. Lines prefixed with a “+” (plus sign) should be added, lines prefixed with “-” (minus sign) should be removed, “@@” characters indicate position (line number and column).

Complete DIFF for SUPEE-1533 (Magento

diff --git app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
index c698108..6e256bb 100644
--- app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
+++ app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
@@ -444,7 +444,7 @@ class Mage_Adminhtml_Block_Dashboard_Graph extends Mage_Adminhtml_Block_Dashboar
             return self::API_URL . '?' . implode('&', $p);
         } else {
-            $gaData = urlencode(base64_encode(serialize($params)));
+            $gaData = urlencode(base64_encode(json_encode($params)));
             $gaHash = Mage::helper('adminhtml/dashboard_data')->getChartDataHash($gaData);
             $params = array('ga' => $gaData, 'h' => $gaHash);
             return $this->getUrl('*/*/tunnel', array('_query' => $params));
diff --git app/code/core/Mage/Adminhtml/controllers/DashboardController.php app/code/core/Mage/Adminhtml/controllers/DashboardController.php
index eebb471..f9cb8d2 100644
--- app/code/core/Mage/Adminhtml/controllers/DashboardController.php
+++ app/code/core/Mage/Adminhtml/controllers/DashboardController.php
@@ -92,7 +92,8 @@ class Mage_Adminhtml_DashboardController extends Mage_Adminhtml_Controller_Actio
         if ($gaData && $gaHash) {
             $newHash = Mage::helper('adminhtml/dashboard_data')->getChartDataHash($gaData);
             if ($newHash == $gaHash) {
-                if ($params = unserialize(base64_decode(urldecode($gaData)))) {
+                $params = json_decode(base64_decode(urldecode($gaData)), true);
+                if ($params) {
                     $response = $httpClient->setUri(Mage_Adminhtml_Block_Dashboard_Graph::API_URL)
                             ->setConfig(array('timeout' => 5))


Complete DIFF for SUPEE-5344 (Magento

diff --git app/code/core/Mage/Admin/Model/Observer.php app/code/core/Mage/Admin/Model/Observer.php
index bd00181..6a5281c 100644
--- app/code/core/Mage/Admin/Model/Observer.php
+++ app/code/core/Mage/Admin/Model/Observer.php
@@ -44,6 +44,10 @@ class Mage_Admin_Model_Observer
         $session = Mage::getSingleton('admin/session');
         /** @var $session Mage_Admin_Model_Session */
+        /**
+         * @var $request Mage_Core_Controller_Request_Http
+         */
         $request = Mage::app()->getRequest();
         $user = $session->getUser();

@@ -58,7 +62,7 @@ class Mage_Admin_Model_Observer
         if (in_array($requestedActionName, $openActions)) {
         } else {
-            if($user) {
+            if ($user) {
             if (!$user || !$user->getId()) {
@@ -69,13 +73,14 @@ class Mage_Admin_Model_Observer
                     $session->login($username, $password, $request);
                     $request->setPost('login', null);
-                if (!$request->getParam('forwarded')) {
+                if (!$request->getInternallyForwarded()) {
+                    $request->setInternallyForwarded();
                     if ($request->getParam('isIframe')) {
                         $request->setParam('forwarded', true)
-                    } elseif($request->getParam('isAjax')) {
+                    } elseif ($request->getParam('isAjax')) {
                         $request->setParam('forwarded', true)
diff --git app/code/core/Mage/Core/Controller/Request/Http.php app/code/core/Mage/Core/Controller/Request/Http.php
index 6513db9..31eb6d6 100644
--- app/code/core/Mage/Core/Controller/Request/Http.php
+++ app/code/core/Mage/Core/Controller/Request/Http.php
@@ -76,6 +76,13 @@ class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http
     protected $_beforeForwardInfo = array();

+     * Flag for recognizing if request internally forwarded
+     *
+     * @var bool
+     */
+    protected $_internallyForwarded = false;
+    /**
      * Returns ORIGINAL_PATH_INFO.
      * This value is calculated instead of reading PATH_INFO
      * directly from $_SERVER due to cross-platform differences.
@@ -534,4 +541,26 @@ class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http
         return false;
+    /**
+     * Define that request was forwarded internally
+     *
+     * @param boolean $flag
+     * @return Mage_Core_Controller_Request_Http
+     */
+    public function setInternallyForwarded($flag = true)
+    {
+        $this->_internallyForwarded = (bool)$flag;
+        return $this;
+    }
+    /**
+     * Checks if request was forwarded internally
+     *
+     * @return bool
+     */
+    public function getInternallyForwarded()
+    {
+        return $this->_internallyForwarded;
+    }
diff --git app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
index c30d273..36542f9 100644
--- app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
+++ app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
@@ -55,7 +55,7 @@ class Mage_Oauth_Adminhtml_Oauth_AuthorizeController extends Mage_Adminhtml_Cont
     public function preDispatch()
-        $this->getRequest()->setParam('forwarded', true);
+        Mage::app()->getRequest()->setInternallyForwarded();

         // check login data before it set null in Mage_Admin_Model_Observer::actionPreDispatchAdmin
         $loginError = $this->_checkLoginIsEmpty();
diff --git app/code/core/Mage/XmlConnect/Model/Observer.php app/code/core/Mage/XmlConnect/Model/Observer.php
index e6cb947..36142ac 100644
--- app/code/core/Mage/XmlConnect/Model/Observer.php
+++ app/code/core/Mage/XmlConnect/Model/Observer.php
@@ -143,7 +143,7 @@ class Mage_XmlConnect_Model_Observer
         /** @var $request Mage_Core_Controller_Request_Http */
         $request = Mage::app()->getRequest();
         if (true === $this->_checkAdminController($request, $event->getControllerAction())) {
-            $request->setParam('forwarded', true)->setDispatched(true);
+            $request->setInternallyForwarded()->setDispatched(true);

@@ -160,7 +160,7 @@ class Mage_XmlConnect_Model_Observer
         if (false === $this->_checkAdminController($request, $event->getControllerAction())
             && !Mage::getSingleton('admin/session')->isLoggedIn()
         ) {
-            $request->setParam('forwarded', true)->setRouteName('adminhtml')->setControllerName('connect_user')
+            $request->setInternallyForwarded()->setRouteName('adminhtml')->setControllerName('connect_user')
diff --git lib/Varien/Db/Adapter/Pdo/Mysql.php lib/Varien/Db/Adapter/Pdo/Mysql.php
index 2226331..d1c6942 100644
--- lib/Varien/Db/Adapter/Pdo/Mysql.php
+++ lib/Varien/Db/Adapter/Pdo/Mysql.php
@@ -2834,10 +2834,6 @@ class Varien_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql implements V

         $query = '';
         if (is_array($condition)) {
-            if (isset($condition['field_expr'])) {
-                $fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['field_expr']);
-                unset($condition['field_expr']);
-            }
             $key = key(array_intersect_key($condition, $conditionKeyMap));

             if (isset($condition['from']) || isset($condition['to'])) {

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

Posted in: Magento Maintenance

How to apply SUPEE-5344 and SUPEE-1533 without SSH
62 votes, 4.61 avg. rating (92% score)
  • Avantech

    I have applied the patches manually, but https://shoplift.byte.nl is still telling me that my site is vulnerable! Can’t work it out!

    • Lukas

      @avantech I had the same issue, you have to apply the secound patch too.
      Worked on my Magento Server. Now the Test says it’s save.

      • Lukas

        Didn’t read patche’s’ so i think you did what i did. Sry mate

    • magentary

      Results at the test website are caches for 5 minutes, please make sure that you don’t read it from cache.

  • Tarun Patel

    Yes i have installed it manually but am getting notification message :

    Second Reminder: Download and install Magento critical security patches now.

    is that manually patch not working correctlly ?

    • magentary

      Reminders at Magento admin Dashboard are shown until you delete it or mark as read, just like other news. You can test if your site is vulnerable at https://shoplift.byte.nl
      Please make sure to apply both patches and note that results are cached for 5 minutes.

  • Lukas

    @avantech:disqus I had the same issue, you have to apply the secound patch too. Worked on my Magento Server. Now the Test says it’s save.

  • Avantech

    I have applied both of them to a Magento 1.8.1 installation and I am still getting vulnerable on the website! I don’t know what gives at all?!

    • magentary

      Results at the test website are caches for 5 minutes, please make sure that you don’t read it from cache.

      • Avantech

        I am aware of that and I have also used the curl command to check to remove caching from the equation. I still can’t understand why!

        • magentary

          The test site checks if ‘forwarded’ parameter can be passed through. You can check if app/code/core/Mage/Core/Controller/Request/Http.php got patched by looking into its contents.
          When patched, it should contain the following string “Flag for recognizing if request internally forwarded” and “$_internallyForwarded = false;”.
          If these lines are there, that the file is patched and allows no “forwarded” parameter, but code is getting executed from another place (PHP opcode cache or some other directory or cache). If the lines are not there, than the file was not patched and should be reuploaded.

          • Avantech

            Thanks a lot! The lines are there alright

            * Flag for recognizing if request internally forwarded
            * @var bool
            protected $_internallyForwarded = false;

          • George Bougiakas

            Hi, I replaced the files for both patches, I can see that the above lines of code exist, however both the test site and the json return that my site is still vulnerable. Any ideas?

          • gwillem

            Flush your caches (file, Varnish, Redis etc), recompile your Magento PHP code, restart your PHP server to flush opcode cache.

          • Paresh Pau

            I have magento ver 1.8 and updated the 2 patches but still fails the
            online check , so wondering how to flush the cache as I only have access
            to admin or ftp to the server , any help as I need to know my site is

          • magentary

            You can restart your webserver or ask your hosting to flush PHP opcode cache and restart webserver for you.

  • http://www.hasanatbinici.com Hasan Atbinici

    I have applied patches with “File Upload” option to a Magento 1.8.1 and still getting WARNING! I don’t know that to do? I checked app/code/core/Mage/Core/Controller/Request/Http.php and it’s updated.

    • magentary

      Have you checked it at https://shoplift.byte.nl or the warning is shown in news section in Magento Dashboard?

      • http://www.hasanatbinici.com Hasan Atbinici

        I have checked at shoplift.bye.nl and getting WARNING message said VULNERABLE.

        • magentary

          As file is patched, that means the code is getting executed from another place (PHP opcode cache or some other directory or cache). Make sure that you have disabled Magento compiler and flushed PHP Opcode cache, in some cases opcode cache is reset on webserver restart.

          • http://www.hasanatbinici.com Hasan Atbinici

            Thanks a lot! I have flushed caches and now its working perfectly.

          • Paresh Pau

            I have magento ver 1.8 and updated the 2 patches but still fails the
            online check , so wondering how to flush the cache as I only have access
            to admin or ftp to the server , any help as I need to know my site is
            safe, not sure how to flush PHP Opcode ???

  • Conn Clissmann

    Currently using CE and note that there the patched files here only cover 1.8-1. for SUPEE-5344. Is there a reason for this? I have installed the patched files for SUPEE-1533 and purged all caches but still get the warning in Magento and the warning at shoplift.bye.nl (even after more than 5 minutes wait).

    • magentary

      shoplift test is checking SUPEE-5344, please use the following set of files for Magento 1.7.x.x:

      I have updated article to include set of files for 1.7.x.x

      • Conn Clissmann

        Fantastic help! Many thanks – I now get a lovely PASS at out Dutch friend’s site. Saved me a lot of hair-pulling – from a man with not much hair left to pull :-)

  • mage17

    Hello, thanks for the hard work. I really appreciate that post!
    Was able to patch my 1.7 Magento. But I also have a 1.6.2. installation (server does not allow sh files patching). Can you please provide patched files for Magento 1.6.2, too
    Thanks in advance!

  • Aziz

    You are amazing !!

    It works perfectly .. Shoplift Bug Tester shows my site as safe ;)

  • Jaspreet Singh

    My Magento version is 1.4 what should i do ? Which patch file should i upload :(

    • jaspreet singh

      Can you reply me as well?? Do you have patch for 1.4 version as well ??

      I have downloaded sh patches from Magento Site for 1.4 verion and opened sh files in notepad++ updated files accordingly.

      1. Cleared cache as well will message go automatically?
      2. How can i check my site is safe now ?

      Please reply. You are not replying to me..

      • magentary

        No, I have no patches for 1.4 and can not help you with that.

        • jaspreet singh

          No Problem Buddy I have done it myself thanks

          • Juan Antonio Navarro Jimenez

            could you share your patch for 1.4 ? Thanks

          • jaspreet singh

            I have shared details my comment has not been approved yet ?

          • jaspreet singh

            See image attached not sure why they are uploading my comment and not allowing me to share files. :(

          • jaspreet singh

            they are deleting my comments.. contact me [email protected]

          • jaspreet singh

            why my reply to Juan is being deleted ??

          • jaspreet singh

            Hi Juan.. my comments are being deleted here http://magentary.com/kb/apply-supee-5344-and-supee-1533-without-ssh/#comment-1989632396
            share your mail id i will send you 1.4 patch files

  • Eshaan


    I really thank you for giving such a detailed way of resolving the issue.

    I have tried to copy the files as mentioned to the folders using FTP / in


    …. but after testing it still shows VULNERABLE. I even waited 1 hour but the result is same. Please Help !! Also I want to know that there are two folders similar to each other which is public_html and www. Do I need to copy the files in both !!!


    • magentary

      You have applied only first patch (SUPEE-1533). For the test check to succeed you need to apply second patch: SUPEE-5344

  • Eshaan

    Thanks Thanks Thanks !!! I really dont have words to thank you as this has been the most easiest way of fixing !! Amazing !!!!!! SAFE NOW !!!

  • CJ

    I don’t get it..so do I just copy all the – DIFF for SUPEE-1533 file directly into the app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
    app/code/core/Mage/Adminhtml/controllers/DashboardController.php files? and clear cache?

  • http://zerod10.com zerod10

    Thanks, really help!

    But if i try to replace the file Mysql.php give me a permission problem, how can i fix it?


    • magentary

      It indicates that either Mysql.php have read-only flag set (you can change it to read-write in your file manager) or you are uploading under user which is not the owner of that file. If so, you need to upload under correct user or ask your host to assist you with permissions.

      • http://zerod10.com zerod10


  • Prismil

    Thank you!!!

  • CJ

    Is this correct..you add the yellow line and take the light blue line in the php files?

    • Guest

      @magentary:disqus can you please reply to my comments..I installed and uninstalled 1.7 Magento numerous times after trying to attempt to upgrade to 1.9.1..now I finally have 1.9.1 running I don’t want to muck around with these files unless I know what I am doing.

      • magentary

        I don’t want to spend my time on this either, should I?

  • Dani

    Thanks, really helpful!

    I used the FTP option and when checking if my website is safe or not, it says it’s safe.

    But when logging in the admin panel I still get the error message “Urgent: Immediately install Magento critical security patches”, why could it be?


    • Floris

      For me the same! I deleted the messages I received earlier yesterday and today I received the exact same message!

    • magentary

      The message in admin is just a message from news feed, Magento is sending these messages to all.

      • Guest

        Oke great! Will just ignore these messages then! However one more question, in my system.log file I noticed the following line (repeatedly):
        2015-04-24T13:33:24+00:00 ERR (3): Warning: array_key_exists() expects parameter 2 to be array, null given in /httpdocs/app/code/core/Mage/Captcha/Model/Observer.php on line 166

        What does this mean?

      • Dani


        Does it mean I’ll get more messages like this on the future? Like a 4th reminder or so?

        Thanks again, for real :)

    • http://rainsford.net/ Richard Rainsford

      just mark the messages as read and they wil go away :)

  • Gladdert

    I am working with Magento ver. but i dont have a Staging Site.
    Can I expect any problems with this way of patching?

    • magentary

      It depends only on your actions and all previous modifications done in core files or settings to your store.
      If core files were not changed or overridden, the store was properly upgraded in the past (so there is no a mix of different versions in your code), there are no any problems expected.

      • Gladdert

        It works fine,Thanks!!!!!!!!!

  • Fred

    Huge thanks!!

  • http://rainsford.net/ Richard Rainsford

    brilliant, thanks for this, I did try via ssh but it was less than clear!
    1533 failed – ERROR: Patch can’t be applied/reverted successfully.
    So I merged using sftp and all went fine :)

    5344 patch “Patch was applied/reverted successfully.”
    And I can now see it has been successful when I checked the files, against the files, from your download :)
    But now, I have a permission problem as the files are owned by root. Will that leave any problem, I have tried to reset with the
    magento-permissions-cleanup.php script, but this also gave failures:
    Warning: chmod() [function.chmod]: Operation not permitted
    Thanks for any tips

    • magentary

      It seems like you have uploaded files as root, so they are now owned by root. You can use chown command in SSH console as root to change owner for all files to the same owner as on index.php, i.e. as root in SSH console under Magento root directory:
      # chown -h -R –reference=./index.php ./app ./lib

      • http://rainsford.net/ Richard Rainsford

        its wasn’t the uploaded files, but those from the SSH [email protected] – 5344 patch “Patch was applied/reverted successfully.”, any way, your command worked like a charm :)

        many thanks

  • fabrigm mundu

    Finally! I had to recompile too, thanks!

  • David74469

    http://pastebin.com/gi1y9YDM script to check if page is vulernable

  • Sweety

    Can anyone provide us patch for Magento ver.

  • Erik Meeder

    Is anyone else having problems testing there site at https://shoplift.byte.nl or at http://magento.com/security-patch ? I have tried multiple variations of my admin url just in case i had it wrong. But no matter what it always comes up as “ERROR: I could not connect to that server. Please double-check for typos.” I can use the exact same url in a webbrowser and i get to my admin log in screen. I have tried the url with the /admin and index.php/admin and made sure i am in my root directory. Not sure how i can check if it is patched or not. Hopefully someone can advise me. Could there be a Geo-IP lock on my admin section?? not sure if that is possible.

    • magentary

      I’ve checked it on a dozens of stores and it worked every time, I’d suggest to stuck with http://magento.com/security-patch URL as it is the same test as from byte.nl but under Magento’s control.
      You can try the PHP script from David74469 here in comments instead, if your store is firewalled.

      • Erik Meeder

        Thanks for the reply. I Contacted my host and you are correct, my server is firewalled with ModSecurity which would normaly block those types of test requests. Therefore i was getting ‘cannot connect to server’ issues.

        I wonder if this would have effected why i had a hard time installing the Patch. I used the PHP method (created a new PHP file and then went to that file in my web browser). It returned results that in my opinion where inconclusive. I will post it here in case anyone else had this same problem.
        Checking if patch can be applied/reverted successfully…
        ERROR: Patch can’t be applied/reverted successfully.

        patching file app/code/core/Mage/Admin/Model/Observer.php
        Reversed (or previously applied) patch detected! Assume -R? [n]
        Apply anyway? [n]
        Skipping patch.
        3 out of 3 hunks ignored — saving rejects to file app/code/core/Mage/Admin/Model/Observer.php.rej
        patching file app/code/core/Mage/Core/Controller/Request/Http.php
        Reversed (or previously applied) patch detected! Assume -R? [n]
        Apply anyway? [n]
        Skipping patch.

        This is the result i was getting for every file it was trying to patch. I manually checked the code in the relevant files and they had in fact been patched correctly.

        BTW my Host told me that with ModSecurity it would not be possible for my store to be hacked even without the Patch installed. But either way, i would still want to make sure my store is up to date with proper security in place.

  • http://www.sergiodouglas.com Sérgio Douglas

    I tried applying the pach via SSH but it didn’t work correctly. Testing with theshoplift.byte.nl

    Upload your files and everything OK.

    Good job and thank you very much for your help.

  • Santosh Shrikhande

    Thank you very much. Finally got the solution.. :D

  • MatHeller

    Hi, I uploaded the files as indicated by you. However, after the upload the backend is not accessible anymore. Any idea what might have happend?



    • magentary

      Backend inaccessibility indicates problem with PHP code, either Magento Compiler is enabled and was not disabled or uploaded files do not match to Magento version installed. You can find the exact reason in PHP error log or webserver error log depending on your configuration.

  • marcel

    Perfect, looking for this, thanks!

  • vinod khajja


    Patches for other versions ( and earlier) not showing patches for version

    • magentary

      The article was updated to include files for

      • vinod khajja

        Hi Thanks for reply but I am only able to see listing up to Magento . I need files for magento CE

      • vinod khajja

        Thanks Magentary Perfect :)

  • Ton de Visser

    Thanx a lot Magentary works great. I have a question thoug Is the 1.6 version also suitable for magento 1.4

    • magentary

      No, files for 1.6 are not suitable for 1.4, the difference is not only in line numbers or functions code, but in filenames as well. You can ask your host to patch it for you providing the correct patch file for 1.4 from magento.com, if they give no ssh access. I would not prepare files for 1.4 as there is a very high probability of core code modifications/overrides there (in most cases they are not upgraded for reason), and simply uploading stock core files may break it.

      • Ton de Visser

        Thank you magentary, they have ssh access but it’s almost impossible to make a good backup as the site is to big. I try to find a way.

  • Vick

    Can I have patches for Enterprise edition 1.14.1

    • magentary

      I’d suggest to check it with your program manager at Magento or with solution partner providing your enterprise edition.

  • TG

    +1 in need of version please

    • magentary

      The article was updated to include files for

  • magentary

    There is no XmlConnect/Model/Observer.php for version as there is no such file in that version and it requires no patching. The error indicates that either Magento Compiler or opcode cache was not flushed as suggested in article or Mage_Admin_Model_Observer is overridden in local/ or community/ code pool and therefor should be patched there as well.

  • muzafar


    i install this patch on 2 domains one has oky but other domain not fixed.. this domain still getting warring message on

    both are magento versions..

  • Techguy

    Please let me know how can I install patches in Magento 1.4.0 version? Please provide zip for Magento 1.4.0 version. So we can manually check & update the files.

  • Shashikant


    I have install patches for Magento 1.7 with SUPEE-1533+5344-1.7 but after installation it shows me the error “Fatal error: Class ‘Mage_Core_Model_App’ not found in /home/tea67dpt/public_html/app/Mage.php on line 669″. My site is down and also I am not able to access the admin panel. The site is on production mode and now its down. Can you please help me to fix asap.

    • magentary

      The error tells you that app/code/core/Mage/Core/Model/App.php can not be read. Make sure that the file exists and permissions are correct and that you have flushed caches, compiler code and PHP opcode cache.

      • Shashikant

        Thanks a lot for your valuable help. I was able to apply the patches successfuly :)

  • Arun

    Hello Sir,

    i am using Magento 1.7.x i had update the patches

    Fatal error: Class ‘Mage_Install_Controller_Router_Install’ not found in /home/content/70/12213370/html/okolo/includes/src/__default.php on line 17475

    can you please help me ?

  • Gabriel Gueugneau

    I have applied the patches manually for Magento but now i cant access ton my admin panel, page is still loading, whats the problem ? thank you

  • Matteo

    Thanks a lot! such a simple procedure!

  • ram


    i have upload the magento1.7 patches,but how do i know safe the site.when i run my site securty page.warning message displayed .apply patch immediately .How top solve this

  • Gabriel Sant’Ana Joussef

    I installed the data through ftp upload, but still I recieve a non-recognized 5344 patch