October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more at http://magento.com/security/patches/supee-6788New SUPEE-6788 patch can be downloaded as usual from Downloads page: https://www.magentocommerce.com/products/downloads/magento/ or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.2.2 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.2.2. To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you wish to save time and have us to install these patches for you, simply click here to order installation.
Step 0: Preparations
Note: Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.
Update all third-party extensions, disable and uninstall any unused extensions.Warning: This patch may break some third-party modules that makes extensive use of custom variables and custom admin routes. Refer to community maintained list of all known incompatible extensions.
Step 1: Verify your Magento version
$ grep -A6 'static function getVersionInfo' app/Mage.php
public static function getVersionInfo()
{
return array(
'major' => '1',
'minor' => '9',
'revision' => '1',
'patch' => '1',
As you can see in the example, it is Magento 1.9.1.1
Step 2: Download corresponding patches
Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/ Make sure to get the right version.Step 3: Place patches into Magento Root directory
Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.$ ls -1 . PATCH_SUPEE-6788_CE_1.9.1.0_v1-2015-10-27-09-06-11.sh app cron.php downloader errors favicon.ico index.php js lib mage media pkginfo robots.txt shell skin var
Step 4: Run the patches
$ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh Checking if patch can be applied/reverted successfully... Patch was applied/reverted successfully.
Step 5: Verification and flush of PHP opcode cache
Verify patch status at our patch tester page. Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.Post-installation
You can disable it as shown below:Warning:Secure Admin routing for extensions is not applied by default after patch installation. To take all advantages of the patch Admin routing compatibility mode should be Disabled at System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
Additionally, if your store still use default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access toWarning: This feature may break some (about ~80% at the moment) third-party extensions from working as expected. Make sure to update all third-party extensions, disable and uninstall any unused extensions and request an extension upgrades from developers if it does not work with this feature enabled..
/downloader/.
Known issues
- CMS pages and transactional emails broken after SUPEE-6788 patch to Magento
- Reset Password page is blank after SUPEE-6788
- Magento registration form does not work after SUPEE-6788
Rollback
If you need to rollback the patch due to some reason, you can use –revert option, Just execute it again in the same Magento root directory by appending –revert option:$ bash ./PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh --revert Checking if patch can be applied/reverted successfully... Patch was applied/reverted successfully.If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.
Posted in: Magento Maintenance