Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patches SUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site: https://www.magentocommerce.com/products/downloads/magento/ To apply these patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article.
Update: Make sure also to apply the latest SUPEE-5994 released on May 15, 2015.
If you wish to save time and have us to install these patches for you, simply click here to order installation.
Step 0: Preparations
Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.Step 1: Verify your Magento version
$ grep -A6 'static function getVersionInfo' app/Mage.php public static function getVersionInfo() { return array( 'major' => '1', 'minor' => '9', 'revision' => '1', 'patch' => '0',As you can see in the example, it is Magento 1.9.1.0
Step 2: Download corresponding patches
Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/ Make sure to get the right version.Step 3: Place patches into Magento Root directory
Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.$ ls -1 . PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh app cron.php downloader errors favicon.ico index.php js lib mage media pkginfo robots.txt shell skin var
Step 4: Run the patches
$ bash ./PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh Checking if patch can be applied/reverted successfully... Patch was applied/reverted successfully. $ bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh Checking if patch can be applied/reverted successfully... Patch was applied/reverted successfully.
Step 5: Verification
Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches. Verify that your store have green SAFE status at http://magento.com/security-patch and our patch tester page Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.As there is an exploit in the wild, if your store was not yet patched to the date, the chances are that it is exploited already. Make sure to check list of admin users. You can do it System > Permissions > Users and System > Permissions > Roles in Backend. Make sure to delete any unknown users, especially with emails in example.com domain.
Refer to Recovery after Shoplift vulnerability article for detailed list of actions.
Known issues / errors
Tool(s) “patch” is(are) missed, please install it
sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh Error! Some required system tools, that are utilized in this sh script, are not installed: Tool(s) "patch" is(are) missed, please install it(them).As it is stated in error message
patch
utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:
# apt-get install patchor
$ sudo apt-get install patchTo install patch on RedHat/CentOS/Fedora use:
# yum install patchor
$ sudo yum install patch
Failed hunks for every file to be patched and for every line
patching file app/code/core/Mage/Admin/Model/Observer.php Hunk #1 FAILED at 44. Hunk #2 FAILED at 62. Hunk #3 FAILED at 73. 3 out of 3 hunks FAILED -- saving rejects to file app/code/core/Mage/Admin/Model/Observer.php.rej patching file app/code/core/Mage/Core/Controller/Request/Http.php Hunk #1 FAILED at 76. Hunk #2 FAILED at 541. 2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/Core/Controller/Request/Http.php.rej patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php Hunk #1 FAILED at 55. 1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php.rej patching file app/code/core/Mage/XmlConnect/Model/Observer.php Hunk #1 FAILED at 143. Hunk #2 FAILED at 160. 2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/XmlConnect/Model/Observer.php.rej patching file lib/Varien/Db/Adapter/Pdo/Mysql.php Hunk #1 FAILED at 2834. 1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rejIt can happen if patch is already applied manually (most likely) or these core files were changed earlier by some manual customization. If so, the files needs to be compared with original files from your Magento version and replaced if no changes expected. Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH
patch: unrecognized option `–dry-run’
sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 0: not found Checking if patch can be applied/reverted successfully... patch: unrecognized option `--dry-run' Usage: /usr/bin/patch [options] [origfile [patchfile]] [+ [options] [origfile]]... Options: [-cCeEflnNRsStuv] [-b backup-ext] [-B backup-prefix] [-d directory] [-D symbol] [-F max-fuzz] [-i patchfile] [-o out-file] [-p[strip-count]] [-r rej-name] [-V {numbered,existing,simple}] [--check] [--context] [--prefix=backup-prefix] [--suffix=backup-ext] [--ifdef=symbol] [--directory=directory] [--ed] [--fuzz=max-fuzz] [--force] [--batch] [--ignore-whitespace] [--forward] [--reverse] [--output=out-file] [--strip[=strip-count]] [--normal] [--reject-file=rej-name] [--skip] [--remove-empty-files] [--quiet] [--silent] [--unified] [--version] [--version-control={numbered,existing,simple}] [--index-first] ERROR: Patch can't be applied/reverted successfully.It can happen if your patch version have no
--dry-run
option, just use --check
option instead:
- Edit the patch file (PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh in our example) and change the following line from:
DRY_RUN_FLAG=" --dry-run"
to:DRY_RUN_FLAG=" --check"
@@ -123,7 +123,7 @@ DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then - DRY_RUN_FLAG=" --dry-run" + DRY_RUN_FLAG=" --check" echo "Checking if patch can be applied/reverted successfully..." fi
Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH
Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded()
The following fatal PHP error is logged in webserver error log or shown on attempt to login into admin backend:PHP Fatal error: Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in app/code/core/Mage/Admin/Model/Observer.php on line 76It means that file
app/code/core/Mage/Core/Controller/Request/Http.php
is overriden either by Magento Compiler (disable Magento compiler and flsuh compiled code), or by PHP opcode cache (restart webserver), or by one of local modifications from app/code/local or app/code/community (check for app/code/local/Mage/Core/Controller/Request/Http.php
and app/code/community/Mage/Core/Controller/Request/Http.php
and patch these files as well or delete them).Posted in: Magento Maintenance