APR 21 2015

How to apply SUPEE-5344 and SUPEE-1533

Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patches SUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site:
https://www.magentocommerce.com/products/downloads/magento/

To apply these patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '0',

As you can see in the example, it is Magento 1.9.1.0

Step 2: Download corresponding patches

Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/

Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .
PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var

 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.
$ bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification

Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Verify that your store have green SAFE status at http://magento.com/security-patch and our patch tester page

Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

As there is an exploit in the wild, if your store was not yet patched to the date, the chances are that it is exploited already. Make sure to check list of admin users. You can do it System > Permissions > Users and System > Permissions > Roles in Backend. Make sure to delete any unknown users, especially with emails in example.com domain.
Refer to Recovery after Shoplift vulnerability article for detailed list of actions.

 

 

 

Known issues / errors

Tool(s) “patch” is(are) missed, please install it

sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).

As it is stated in error message patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:

 # apt-get install patch

or

 $ sudo apt-get install patch

To install patch on RedHat/CentOS/Fedora use:

 # yum install patch

or

 $ sudo yum install patch

Failed hunks for every file to be patched and for every line

patching file app/code/core/Mage/Admin/Model/Observer.php
Hunk #1 FAILED at 44.
Hunk #2 FAILED at 62.
Hunk #3 FAILED at 73.
3 out of 3 hunks FAILED -- saving rejects to file app/code/core/Mage/Admin/Model/Observer.php.rej
patching file app/code/core/Mage/Core/Controller/Request/Http.php
Hunk #1 FAILED at 76.
Hunk #2 FAILED at 541.
2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/Core/Controller/Request/Http.php.rej
patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
Hunk #1 FAILED at 55.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php.rej
patching file app/code/core/Mage/XmlConnect/Model/Observer.php
Hunk #1 FAILED at 143.
Hunk #2 FAILED at 160.
2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/XmlConnect/Model/Observer.php.rej
patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
Hunk #1 FAILED at 2834.
1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rej

It can happen if patch is already applied manually (most likely) or these core files were changed earlier by some manual customization. If so, the files needs to be compared with original files from your Magento version and replaced if no changes expected. Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH

patch: unrecognized option `–dry-run’

sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 0: not found
Checking if patch can be applied/reverted successfully...
patch: unrecognized option `--dry-run'
Usage: /usr/bin/patch [options] [origfile [patchfile]] [+ [options] [origfile]]...
Options:
[-cCeEflnNRsStuv] [-b backup-ext] [-B backup-prefix] [-d directory]
[-D symbol] [-F max-fuzz] [-i patchfile] [-o out-file] [-p[strip-count]]
[-r rej-name] [-V {numbered,existing,simple}] [--check] [--context]
[--prefix=backup-prefix] [--suffix=backup-ext] [--ifdef=symbol]
[--directory=directory] [--ed] [--fuzz=max-fuzz] [--force] [--batch]
[--ignore-whitespace] [--forward] [--reverse] [--output=out-file]
[--strip[=strip-count]] [--normal] [--reject-file=rej-name] [--skip]
[--remove-empty-files] [--quiet] [--silent] [--unified] [--version]
[--version-control={numbered,existing,simple}] [--index-first]
ERROR: Patch can't be applied/reverted successfully.

It can happen if your patch version have no --dry-run option, just use --check option instead:

  • Edit the patch file (PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh in our example) and change the following line from:
    DRY_RUN_FLAG=" --dry-run"
    to:
    DRY_RUN_FLAG=" --check"
    @@ -123,7 +123,7 @@
         DRY_RUN_FLAG=
         if [ "$1" = "dry-run" ]
         then
    -        DRY_RUN_FLAG=" --dry-run"
    +        DRY_RUN_FLAG=" --check"
             echo "Checking if patch can be applied/reverted successfully..."
         fi
    
    

    Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH

Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded()

The following fatal PHP error is logged in webserver error log or shown on attempt to login into admin backend:

PHP Fatal error: Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in app/code/core/Mage/Admin/Model/Observer.php on line 76

It means that file app/code/core/Mage/Core/Controller/Request/Http.php is overriden either by Magento Compiler (disable Magento compiler and flsuh compiled code), or by PHP opcode cache (restart webserver), or by one of local modifications from app/code/local or app/code/community (check for app/code/local/Mage/Core/Controller/Request/Http.php and app/code/community/Mage/Core/Controller/Request/Http.php and patch these files as well or delete them).

Posted in: Magento Maintenance

How to apply SUPEE-5344 and SUPEE-1533
47 votes, 4.75 avg. rating (94% score)
  • foysal

    # bash ./PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh

    Checking if patch can be applied/reverted successfully…

    Patch was applied/reverted successfully.

    # bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh

    Checking if patch can be applied/reverted successfully…

    Patch was applied/reverted successfully.

    I got these. But if I test it here ( http://magento.com/security-patch), I am getting warning “WARNING: This site appears to be vulnerable. Please patch it immediately!”

    What should I do now ??

    • magentary

      It can be Magento Compiler or PHP opcode cache. I’d suggest to check if Magento Compiler is disabled or recompiled as mentioned at step 0, or restarted webserver to flush opcode cache.

      • foysal

        Thanks @magentary:disqus for your reply. I am in a peculiar situation. I could update patch in my 2 sites but could not update patch in another 1 site. Is there issue in shared hosting and VPS hosting. Like patch update is possible in VPS hosting but patch update is not possible in shared hosting.

        I could not find out the exact cause. I am trying through Shell Command. I got successful result in Shell Command.But the verifying site (http://magento.com/security-patch) gave me error message. I am attaching a screen shot regarding compilation state.

        Thanks

        Foysal

        • magentary

          I’d suggest to run compilation process on this screen and ask your hoster to flush opcode cache or restart webserver to apply changes in your code, it is likely to be cached in PHP opcode cache.
          I have successfully applied the patch on a number of shared hosting environments, so if there is any reason why changes in code are not reflected in compiled code, it must be specific to that hosting provider.

          • foysal

            Is it possible to flush opcode cache or restart webserver in shared hosting environments ?? We are using bluehost hosting service.

            Thanks

          • magentary

            I’d suggest to check it with hosting support, you can point them to changed PHP files (app/code/core/Mage/Core/Controller/Request/Http.php in particular) and ask why changes are not applied in executed code requesting opcode cache flush or server restart.
            Also, make sure that patched files are not overridden on your install, with local/community pools, i.e. in app/code/local/Mage/Core/Controller/Request/Http.php which normally should not exist.

  • John Roberts

    Hi,

    My Aspiration Hosting tech person tried to install these two Magento patches (SUPEE 5433 & 1533) and he got this error. Can any one tell me what the problem is? I am not a technical person and he cannot seem to figure out why the installations did not work. Any help would be appreciated.

    ERROR MESSAGE:

    [email protected] [~/www]# /bin/sh PATCH_SUPEE-5345_CE_1.7.0.2_v1-2015-02-10-08-11-22.sh
    Checking if patch can be applied/reverted successfully…
    ERROR: Patch can’t be applied/reverted successfully.

    patching file app/code/core/Mage/Admin/Model/Observer.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    3 out of 3 hunks ignored — saving rejects to file app/code/core/Mage/Admin/Model/Observer.php.rej
    patching file app/code/core/Mage/Core/Controller/Request/Http.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    2 out of 2 hunks ignored — saving rejects to file app/code/core/Mage/Core/Controller/Request/Http.php.rej
    patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    1 out of 1 hunk ignored — saving rejects to file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php.rej
    patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    1 out of 1 hunk ignored — saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rej
    [email protected] [~/www]# /bin/sh PATCH_SUPEE-1533_EE_1.12.x_v1-2015-02-10-08-19-16.sh
    Checking if patch can be applied/reverted successfully…
    ERROR: Patch can’t be applied/reverted successfully.

    patching file app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    1 out of 1 hunk ignored — saving rejects to file app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php.rej
    patching file app/code/core/Mage/Adminhtml/controllers/DashboardController.php
    Reversed (or previously applied) patch detected! Assume -R? [n]
    Apply anyway? [n]
    Skipping patch.
    1 out of 1 hunk ignored — saving rejects to file app/code/core/Mage/Adminhtml/controllers/DashboardController.php.rej

    • magentary

      See “Known Issues / Failed hunks” section above.

  • Bill Rodgers

    Hi,

    Magento sent me patch 5388 in place of the 5344 I requested. I’ve run the patch and got the “success” message, but when I go to the admin login screen I get a blank page instead of the log in form.

    Cache and session folders have been cleared.

    Has anyone else experienced this issue?

    Thanks,
    Bill

    • Bill Rodgers

      Found the problem. Ownership of patched files had been changed to root instead of apache. Derp! :)