JUL 07 2015

How to install SUPEE-6285

According to announce sent on July 7, 2015 to all Magento installations new security patch SUPEE-6285 should be installed in addition to three recent patches (SUPEE-5994, SUPEE-5344 and SUPEE-1533).

July 7, 2015: New Magento Security Patch (SUPEE-6285) – Install Immediately
Today we are providing a new security patch (SUPEE-6285) that addresses critical security vulnerabilities. The patch is available for Community Edition 1.4.1 to 1.9.1.1 and is part of the core code of our latest release, Community Edition 1.9.2, available for download today. PLEASE NOTE: You must first implement SUPEE-5994 to ensure SUPEE-6285 works properly. Download Community Edition 1.9.2 or the patch from the Community Edition download page: https://www.magentocommerce.com/products/downloads/magento/

New SUPEE-6285 patch can be downloaded as usual from Downloads page:
https://www.magentocommerce.com/products/downloads/magento/ or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.2.1 version).

You can install it in the same way as previous patches or by upgrading to Magento 1.9.2.1.

To apply the patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '1',

As you can see in the example, it is Magento 1.9.1.1

Step 2: Download corresponding patches

Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/

Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .
PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var

 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification and flush of PHP opcode cache

Verify patch status at our patch tester page.
Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

 

 

 

Known issues / errors

Tool(s) “patch” is(are) missed, please install it

sh ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).

As it is stated in error message patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:

 # apt-get install patch

or

 $ sudo apt-get install patch

To install patch on RedHat/CentOS/Fedora use:

 # yum install patch

or

 $ sudo yum install patch

Hunk #1 FAILED at 33 on downloader/template/connect/packages_prepare.phtml

Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file app/Mage.php
patching file app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php
patching file app/code/core/Mage/Adminhtml/Controller/Action.php
...
checking file downloader/template/connect/packages.phtml
checking file downloader/template/connect/packages_prepare.phtml
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED
checking file downloader/template/login.phtml
checking file downloader/template/settings.phtml
checking file errors/processor.php
Done  

The error says that downloader/template/connect/packages_prepare.phtml is not like expected. Most likely, SUPEE-5994 was not applied previously according to requirements. Make sure to apply SUPEE-5994 first.

can’t find file to patch at input line 894

Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file app/Mage.php
patching file app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php
patching file app/code/core/Mage/Adminhtml/Controller/Action.php
patching file app/code/core/Mage/Adminhtml/controllers/AjaxController.php
patching file app/code/core/Mage/Adminhtml/controllers/Catalog/Category/WidgetController.php
.....
patching file app/design/frontend/base/default/template/rss/order/details.phtml
patching file app/design/frontend/base/default/template/wishlist/email/rss.phtml
can't find file to patch at input line 894
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
|index 43698c2..f4fe5ab 100644
|--- app/design/frontend/default/modern/template/checkout/cart.phtml
|+++ app/design/frontend/default/modern/template/checkout/cart.phtml
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file downloader/Maged/.htaccess
patching file downloader/Maged/Controller.php
patching file downloader/Maged/Model/Session.php
patching file downloader/lib/.htaccess
patching file downloader/template/connect/packages.phtml
patching file downloader/template/connect/packages_prepare.phtml
patching file downloader/template/login.phtml
patching file downloader/template/settings.phtml
patching file errors/processor.php

According to the output app/design/frontend/default/modern/template/checkout/cart.phtml file missing on your installation. Simply upload it from corresponding Magento distribution and re-run the patch.

“Access Denied” errors on access to all custom modules for users with selective permissions

Access denied in backend after SUPEE-6285
Access denied in backend after SUPEE-6285

Reason is new _isAllowed() method requirement for all admin controllers.
As mentioned by Dan Mentzer in comments custom modules should be updated, refer to http://magento.stackexchange.com/questions/73646/access-denied-errors-after-installing-supee-6285 for details.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

 

Posted in: Magento Maintenance

How to install SUPEE-6285
29 votes, 4.83 avg. rating (96% score)
  • Omar

    sh PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh
    Checking if patch can be applied/reverted successfully…
    ERROR: Patch can’t be applied/reverted successfully.

    patching file app/Mage.php
    Hunk #1 FAILED at 814.
    1 out of 1 hunk FAILED — saving rejects to file app/Mage.php.rej
    patching file app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php
    Hunk #1 FAILED at 84.
    1 out of 1 hunk FAILED — saving rejects to file app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php.rej
    patching file app/code/core/Mage/Adminhtml/Controller/Action.php
    Hunk #1 FAILED at 71.


    After applying patch i having these errors in quite numbers.

    • magentary

      Failed hunks indicates that your files does not match to original Magento 1.8.1.0 files. Either installed Magento version is not 1.8.1.0 or the files are modified by someone and all modifications should be reviewed, rolled back and re-applied over patch. If you are certain that there were no any modifications to core files on your installation and your Magento version is 1.8.1.0, you can apply patch via file upload as shown here: http://magentary.com/kb/install-supee-6285-without-ssh/ or simply upgrade to 1.9.2.0

      • Omar

        Thanks for reply. i will try to upload manually. one more thing if you can guide me what the way to verify that patch is really applied after manually uploads

        • magentary

          There is md5sums.txt file in every archive, so you can verify integrity of patched files with md5sum tool like this:

          $ md5sum -c md5sums.txt

          ./app/Mage.php: OK

          ./app/code/core/Mage/Rss/controllers/OrderController.php: OK

          ./app/code/core/Mage/Rss/controllers/CatalogController.php: OK

          ./app/code/core/Mage/Api2/controllers/Adminhtml/Api2/AttributeController.php: OK

          ./app/code/core/Mage/Core/Controller/Varien/Router/Admin.php: OK

          ./app/code/core/Mage/Core/Controller/Varien/Router/Standard.php: OK

          ./app/code/core/Mage/Bundle/controllers/Adminhtml/Bundle/SelectionController.php: OK

          ./app/code/core/Mage/Checkout/controllers/MultishippingController.php: OK

          ./app/code/core/Mage/Adminhtml/Controller/Action.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Cms/Page/WidgetController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Cms/PageController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Cms/Block/WidgetController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Rss/OrderController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Rss/CatalogController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Tax/RateController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/ReportController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/JsonController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Sales/TransactionsController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Sales/Recurring/ProfileController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Sales/Order/View/GiftmessageController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Sales/Billing/AgreementController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Customer/System/Config/ValidatevatController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/TaxController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Catalog/Category/WidgetController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Catalog/Product/DatafeedsController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Catalog/Product/WidgetController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Catalog/Product/ReviewController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/ProductController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/CustomerController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/TagController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/ReviewController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/ShopcartController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/Report/SalesController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/System/Config/System/StorageController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/NotificationController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/AjaxController.php: OK

          ./app/code/core/Mage/Adminhtml/controllers/TagController.php: OK

          ./app/code/core/Mage/Paygate/controllers/Adminhtml/Paygate/Authorizenet/PaymentController.php: OK

          ./app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php: OK

          ./app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php: OK

          ./app/code/core/Mage/Customer/Model/Customer.php: OK

          ./app/code/core/Mage/Paypal/controllers/Adminhtml/Paypal/ReportsController.php: OK

          ./app/code/core/Mage/Captcha/controllers/Adminhtml/RefreshController.php: OK

          ./app/code/core/Mage/Install/etc/config.xml: OK

          ./app/code/core/Mage/Install/Controller/Router/Install.php: OK

          ./app/code/core/Mage/Widget/Block/Adminhtml/Widget/Chooser.php: OK

          ./app/code/core/Mage/Widget/controllers/Adminhtml/WidgetController.php: OK

          ./app/code/core/Mage/Connect/controllers/Adminhtml/Extension/LocalController.php: OK

          ./app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php: OK

          ./app/code/core/Mage/ImportExport/Model/Abstract.php: OK

          ./app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php: OK

          ./app/code/core/Mage/Centinel/controllers/Adminhtml/Centinel/IndexController.php: OK

          ./app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php: OK

          ./app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php: OK

          ./app/design/frontend/base/default/template/rss/order/details.phtml: OK

          ./app/design/frontend/base/default/template/checkout/cart/noItems.phtml: OK

          ./app/design/frontend/base/default/template/checkout/cart.phtml: OK

          ./app/design/frontend/base/default/template/checkout/onepage/failure.phtml: OK

          ./app/design/frontend/base/default/template/wishlist/email/rss.phtml: OK

          ./app/design/frontend/default/modern/template/checkout/cart.phtml: OK

          ./lib/PEAR/PEAR/PEAR5.php: OK

          ./lib/PEAR/PEAR/PEAR.php: OK

          ./lib/Varien/Io/File.php: OK

          ./downloader/lib/.htaccess: OK

          ./downloader/Maged/Model/Session.php: OK

          ./downloader/Maged/Model/Connect.php: OK

          ./downloader/Maged/.htaccess: OK

          ./downloader/Maged/Controller.php: OK

          ./downloader/Maged/View.php: OK

          ./downloader/template/connect/packages.phtml: OK

          ./downloader/template/connect/packages_prepare.phtml: OK

          ./downloader/template/login.phtml: OK

          ./downloader/template/messages.phtml: OK

          ./downloader/template/settings.phtml: OK

          ./errors/processor.php: OK

          ./get.php: OK

  • chandru sekar

    Hi, I got the same error and tried installing the patch with default magento 1.9.0.1 and returned with the same error which @omar has posted.

    Thanks for your reply in advance to sort the same.

    • chandru sekar

      Sorry, i’ve missed to install one older patch in it.

      however am unable to install the same with my custom environment.

      Thanks for your reply in advance to sort the same.

  • Mark

    Just saw this comment elsewhere – any thoughts?

    Be Advised: Diving into this patch, I came across cart.phtml, and a few others being applied to the base/default phtml files. This means if you’re running a custom theme (which 99% of us are), after you apply this patch, there is no guarantee you’re secure, because themed phtml files take precedence over the base/default phtml files, and those remain unpatched! Most common theme overwritten files that get patched in this script are: cart.phtml which addresses the XSS vulnerability.

    • magentary

      A lot of third-party themes and extensions contains much more than XSS vulnerability, especially those who place PHP files in skin to generate CSS (local file inclusion) or use direct SQL queries to get a color option. Moreover, the most of manuals from extension developers contains instructions to change permissions to 777 (allow write for anyone) and copied blindly everywhere as a panacea. It is not possible to fix the world. Thanks to Magento it can fix the core. The themes and extensions we choose are in our hands.

  • Dan Mentzer

    Is anyone else having issues with customers getting access denied messages in the backend after patch has been completed.

  • Shri

    I would like to installed Supee-6285 Magneto security patch. I have magneto version 1.8.1.0.

  • Jay

    I had issue patching and found multiple errors; one of them

    Hunk #1 succeeded at 115 with fuzz 1.

    The next patch would create the file downloader/Maged/.htaccess,

    which already exists! Assume -R? [n]

    Apply anyway? [n]

    Skipping patch.

    1 out of 1 hunk ignored

    Simply removed or rename downloader/Maged/.htaccess and patch was applied successfully