Published: April 21, 2015
Last updated:

How to apply SUPEE-5344 and SUPEE-1533

Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patches SUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site: https://www.magentocommerce.com/products/downloads/magento/ To apply these patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '0',
As you can see in the example, it is Magento 1.9.1.0

Step 2: Download corresponding patches

Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/ Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.
$ ls -1 .
PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var
 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.
$ bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification

Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches. Verify that your store have green SAFE status at http://magento.com/security-patch and our patch tester page Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.
As there is an exploit in the wild, if your store was not yet patched to the date, the chances are that it is exploited already. Make sure to check list of admin users. You can do it System > Permissions > Users and System > Permissions > Roles in Backend. Make sure to delete any unknown users, especially with emails in example.com domain.
Refer to Recovery after Shoplift vulnerability article for detailed list of actions.
     

Known issues / errors

Tool(s) “patch” is(are) missed, please install it

sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).
As it is stated in error message patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:
 # apt-get install patch
or
 $ sudo apt-get install patch
To install patch on RedHat/CentOS/Fedora use:
 # yum install patch
or
 $ sudo yum install patch

Failed hunks for every file to be patched and for every line

patching file app/code/core/Mage/Admin/Model/Observer.php
Hunk #1 FAILED at 44.
Hunk #2 FAILED at 62.
Hunk #3 FAILED at 73.
3 out of 3 hunks FAILED -- saving rejects to file app/code/core/Mage/Admin/Model/Observer.php.rej
patching file app/code/core/Mage/Core/Controller/Request/Http.php
Hunk #1 FAILED at 76.
Hunk #2 FAILED at 541.
2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/Core/Controller/Request/Http.php.rej
patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
Hunk #1 FAILED at 55.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php.rej
patching file app/code/core/Mage/XmlConnect/Model/Observer.php
Hunk #1 FAILED at 143.
Hunk #2 FAILED at 160.
2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/XmlConnect/Model/Observer.php.rej
patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
Hunk #1 FAILED at 2834.
1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rej
It can happen if patch is already applied manually (most likely) or these core files were changed earlier by some manual customization. If so, the files needs to be compared with original files from your Magento version and replaced if no changes expected. Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH

patch: unrecognized option `–dry-run’

sh ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 127: not found
PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh: 0: not found
Checking if patch can be applied/reverted successfully...
patch: unrecognized option `--dry-run'
Usage: /usr/bin/patch [options] [origfile [patchfile]] [+ [options] [origfile]]...
Options:
[-cCeEflnNRsStuv] [-b backup-ext] [-B backup-prefix] [-d directory]
[-D symbol] [-F max-fuzz] [-i patchfile] [-o out-file] [-p[strip-count]]
[-r rej-name] [-V {numbered,existing,simple}] [--check] [--context]
[--prefix=backup-prefix] [--suffix=backup-ext] [--ifdef=symbol]
[--directory=directory] [--ed] [--fuzz=max-fuzz] [--force] [--batch]
[--ignore-whitespace] [--forward] [--reverse] [--output=out-file]
[--strip[=strip-count]] [--normal] [--reject-file=rej-name] [--skip]
[--remove-empty-files] [--quiet] [--silent] [--unified] [--version]
[--version-control={numbered,existing,simple}] [--index-first]
ERROR: Patch can't be applied/reverted successfully.
It can happen if your patch version have no --dry-run option, just use --check option instead:
  • Edit the patch file (PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh in our example) and change the following line from: DRY_RUN_FLAG=" --dry-run" to: DRY_RUN_FLAG=" --check"
    @@ -123,7 +123,7 @@
         DRY_RUN_FLAG=
         if [ "$1" = "dry-run" ]
         then
    -        DRY_RUN_FLAG=" --dry-run"
    +        DRY_RUN_FLAG=" --check"
             echo "Checking if patch can be applied/reverted successfully..."
         fi
    
    
    Alternatively, refer to Applying SUPEE-5344 and SUPEE-1533 without SSH

Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded()

The following fatal PHP error is logged in webserver error log or shown on attempt to login into admin backend:
PHP Fatal error: Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in app/code/core/Mage/Admin/Model/Observer.php on line 76
It means that file app/code/core/Mage/Core/Controller/Request/Http.php is overriden either by Magento Compiler (disable Magento compiler and flsuh compiled code), or by PHP opcode cache (restart webserver), or by one of local modifications from app/code/local or app/code/community (check for app/code/local/Mage/Core/Controller/Request/Http.php and app/code/community/Mage/Core/Controller/Request/Http.php and patch these files as well or delete them).

Posted in: Magento Maintenance

93 votes, 4.57 avg. rating (91% score)