OCT 27 2015

How to install SUPEE-6788

October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately
Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more at http://magento.com/security/patches/supee-6788

New SUPEE-6788 patch can be downloaded as usual from Downloads page:
https://www.magentocommerce.com/products/downloads/magento/ or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.2.2 version).

You can install it in the same way as previous patches or by upgrading to Magento 1.9.2.2.

To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Note: Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Warning: This patch may break some third-party modules that makes extensive use of custom variables and custom admin routes. Refer to community maintained list of all known incompatible extensions.

Update all third-party extensions, disable and uninstall any unused extensions.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '1',

As you can see in the example, it is Magento 1.9.1.1

Step 2: Download corresponding patches

Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/

Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .
PATCH_SUPEE-6788_CE_1.9.1.0_v1-2015-10-27-09-06-11.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var

 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification and flush of PHP opcode cache

Verify patch status at our patch tester page.
Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Post-installation

Warning:Secure Admin routing for extensions is not applied by default after patch installation. To take all advantages of the patch Admin routing compatibility mode should be Disabled at System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.

You can disable it as shown below:

Enabling Secure Admin Routing for extensions
Disabling Secure Admin Routing compatibility mode for extensions

 

Warning: This feature may break some (about ~80% at the moment) third-party extensions from working as expected. Make sure to update all third-party extensions, disable and uninstall any unused extensions and request an extension upgrades from developers if it does not work with this feature enabled..

Additionally, if your store still use default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.

Known issues

Rollback

If you need to rollback the patch due to some reason, you can use –revert option, Just execute it again in the same Magento root directory by appending –revert option:

$ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh --revert
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

 

Posted in: Magento Maintenance

How to install SUPEE-6788
18 votes, 4.84 avg. rating (96% score)
  • Muhemmed Asfand Yar

    I have magento 1.8 is it ok to install the this supee-6788 patch with 1.8 or do i need to upgrade to magento 1.9

    • magentary

      There are patches for Magento 1.8, you can find it at download page, so upgrade is not required.
      Though, if you can upgrade to the latest 1.9.2.2, upgrade is preferred.

  • Hristina

    I am using magento 1.4.1.1 and when I log in on admin panel I recieve message that I need to install PATCH 6788. Is require PATCH 6788 for magento 1.4.1.1 and if yes how could I download for 1.4.1.1. version.
    Thanks

  • H Amaroq

    don’t forget the whitelisting of embedded blocks/configdata for email templates and CMS pages/blocks:
    all usages of [[config …]] and {{block …}} must be added to System > Permissions > Blocks / Variables

    • https://xceptional.co Jeremy Tyler

      Thank you! Homepage was gone after and my immediate heart sinking feeling was, “Here Goes Another 8 Hours”.

  • https://amasty.com/ Amasty

    Amasty has already updated most our extensions affected by the patch, you can find a list at https://blog.amasty.com/supee-6788-qa-about-extensions-and-security-patch-compatibility-important/

  • Douglas de Souza

    Follow all instructions for installation in magento 1.9.2.1. but only on this page I saw the notice about this patch can break some modules. Well now that I saw the list was very scared.
    Someone know how I can go back? Or off? My home got part blank.
    I’m having trouble on the blocks and variables. But when I go into System >> permissions >> Blocks I have page error.
    I do not know what to do.
    Because the guys from magento not make a page like that! Everything would be easier and avoid problems.
    Thanks for the instructions!

    • magentary

      If the patch was applied via SSH to revert it, you can just call it again with –revert option:
      $ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh –revert

      • Douglas de Souza

        I’ll try. Thank you!!!

  • Thiago Romão Barcala

    I am very concerned about this security patch. Correct me if I’m wrong, but won’t the suggested route substitution method cause a lot of modules controllers to conflict? I mean, currently all modules use their own frontname, and now we are supposed to put everything under the admin frontname. Take an example where you have two modules that declare frontnames x and y, and both have controllers named ProductController. Before the URL for these controllers would be something like http://example.com/x/product and http://example.com/y/product, and after this patch, with the suggested solution, we would have both controllers responding for the URL http://example.com/admin/product. Wouldn’t it be easier/better/safer to change Magento to treat routes declared with admin differently?

  • Paul

    I’m getting empty pages for Block Permission and Variable Permission. Am I missing DB changes or something?

    • Paul

      Just checked DB and Tables exist.

      Checked System Logs:

      ————————————————–

      2015-11-04T21:06:48+00:00 ERR (3):

      exception ‘Mage_Core_Exception’ with message ‘Invalid block type: Mage_Adminhtml_Block_Permissions_Variable’ in /devsite/app/Mage.php:594

      Stack trace:

      #0 /devsite/includes/src/__default.php(27426): Mage::throwException(‘Invalid block t…’)

      #1 /devsite/includes/src/__default.php(27368): Mage_Core_Model_Layout->_getBlockInstance(‘adminhtml/permi…’, Array)

      #2 /devsite/app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php(59): Mage_Core_Model_Layout->createBlock(‘adminhtml/permi…’)

      #3 /devsite/includes/src/__default.php(13617): Mage_Adminhtml_Permissions_VariableController->indexAction()

      #4 /devsite/includes/src/__default.php(17995): Mage_Core_Controller_Varien_Action->dispatch(‘index’)

      #5 /devsite/includes/src/__default.php(17548): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))

      #6 /devsite/includes/src/__default.php(20150): Mage_Core_Controller_Varien_Front->dispatch()

      #7 /devsite/app/Mage.php(683): Mage_Core_Model_App->run(Array)

      #8 /devsite/index.php(120): Mage::run(”, ‘store’)

      #9 {main}

      2015-11-04T21:06:48+00:00 ERR (3):

      exception ‘Mage_Core_Exception’ with message ‘Invalid block type: Mage_Adminhtml_Block_Permissions_Block’ in /devsite/app/Mage.php:594

      Stack trace:

      #0 /devsite/includes/src/__default.php(27426): Mage::throwException(‘Invalid block t…’)

      #1 /devsite/includes/src/__default.php(27368): Mage_Core_Model_Layout->_getBlockInstance(‘adminhtml/permi…’, Array)

      #2 /devsite/app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php(59): Mage_Core_Model_Layout->createBlock(‘adminhtml/permi…’)

      #3 /devsite/includes/src/__default.php(13617): Mage_Adminhtml_Permissions_BlockController->indexAction()

      #4 /devsite/includes/src/__default.php(17995): Mage_Core_Controller_Varien_Action->dispatch(‘index’)

      #5 /devsite/includes/src/__default.php(17548): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))

      #6 /devsite/includes/src/__default.php(20150): Mage_Core_Controller_Varien_Front->dispatch()

      #7 /devsite/app/Mage.php(683): Mage_Core_Model_App->run(Array)

      #8 /devsite/index.php(120): Mage::run(”, ‘store’)

      #9 {main}

      ————————————————–

      Anybody has any idea why this is happening?

      • Paul

        FIXED!

        Compilation was enabled! Missed that part – DOH!

  • CannyCookie

    We’ve installed the 6788 patch on 1.7.0.2, disabled cache, flushed everything logged out and in but the Admin->Security section has not been updated. Not sure what to do now. Any ideas?

  • revin

    hi, we are trying to update 6788 patch on 1.9.1.0 and facing error patch can’t applied/reverted successfully. Followed all your instructions.
    below are my screenshot please help me out I need to do this soon.

  • Cecilia Castelari

    After install SUPEE-6788 patch, I am getting blank page on System > Permissions > Blocks
    also, in home page, featured products, new products bloc are not working. {{block type=”catalog/product_list”
    category_id=”46″ template=”catalog/product/list.phtml”}} my magento is 1.9.0.1 any help me??