MAY 15 2015

How to install SUPEE-5994 without SSH

UPDATE: July 7, 2015: New Magento Security Patch (SUPEE-6285), save time on installing both SUPEE-5994 and SUPEE-6285 at once as shown in SUPEE-6285 & SUPEE-5994 installation without SSH.
According to announce sent on May 15, 2015 to all Magento installations new security patch SUPEE-5994 should be installed in addition to two recent shoplift patches (SUPEE-5344 and SUPEE-1533).
Important: New Magento Security Patch – Install it Now It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page ( Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).
The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to install SUPEE-5994. It is still possible to apply the patch even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article. If you wish to save time and have us to install all these patches for you, simply click here to order installation. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together. Before patching make sure to Disable Magento Compiler if you use it at System > Configuration > Tools > Compilation and clear compiled cache.

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes. Patch SUPEE-5994 (Magento 1.6.x.x- applied to the following files:
  • app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
  • app/code/core/Mage/Customer/Model/Customer.php
  • app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
  • app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
  • app/code/core/Mage/Install/Controller/Router/Install.php
  • app/code/core/Mage/Install/etc/config.xml
  • app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
  • downloader/Maged/Model/Connect.php
  • downloader/Maged/View.php
  • downloader/template/connect/packages_prepare.phtml
  • downloader/template/messages.phtml
  • get.php
  • lib/PEAR/PEAR/PEAR.php
  • lib/PEAR/PEAR/PEAR5.php
  • lib/Varien/Io/File.php
Patched version of these files for Magento packed into single ZIP archive: SUPEE-5994-1.9.1. Simply unpack it and replace files on your store by uploading all folders and get.php file into your Magento root directory.

Patch for other versions

Older versions are patched in the same way, I am adding downloads for other versions into a single table on demand when I need to patch certain version:
Magento versionSUPEE-5994


Verify patch status at our patch tester page. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches. Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/. Done. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

Posted in: Magento Maintenance

How to install SUPEE-5994 without SSH
83 votes, 4.53 avg. rating (90% score)
  • Aziz

    Thanx a lot
    You are awesome as usual !!

    I use Magento 1.9. The only problem that I encountered was in the path: app/code/core/Mage/Install/Controller/Router/Install.php
    In my directory it looks like: app/code/core/Mage/Install/Controller/Action.php

    I don’t know if this is only in my directory or you made a mistake. any idea?

    • magentary

      Thank you for the feedback.
      app/code/core/Mage/Install/Controller/Router/Install.php is a new file to be created and it is included in the patch / archive.
      app/code/core/Mage/Install/Controller/Action.php is not affected by this patch should remain unchanged.

      • Aziz

        Thanks a lot .. It solves the problem

        Keeeeeeeeep up the good work

  • fabstr

    would be great if you could provide us with the patch for Magento


    Fatal error: Class ‘Mage_Install_Controller_Router_Install’ not found in /home/x/public_html/includes/src/__default.php on line 17982

    After uploading your files :S already cleaned cache, etc via sh

    • magentary

      According to the error Magento Compiler was not disabled as described in article. It is required disable magento compiler prior to installation, just like with any extension. If you can not login to backend you can move includes/ directory out.


        Nope, it was disabled, and also same when i tried again after reuploading all files fres, reinstalled twice now, happens after flushing magento storage,

        Tried third time, now error appeared after i reenabled compiler, this happens when i upload install folder.

        • Laurentiu Zaharia

          same problem…

          • Andreas

            Had the same problem, check if you successfully uploaded
            If not, you are probably also missing


            Both files are new files.

          • John Mocnik

            I uploaded the files, shop looks ok.

            Where can I check if patch is successfully installed an registered?

        • magentary

          If Magento Compiler is disabled and cleared, then includes/src/__default.php should not even exist.
          As it is listed in your message, Magento Compiler is not disabled, so old code is loaded.


            I have checked and my _default differs from one store to another (one has 2014 copyright), is it safe to replace that with my other store code? both were patched

      • Sean

        This is the problem to me.
        After this mistake, I did:
        * revert patch installation,
        * Disable the Compiler,
        –Magento die,
        * Reinstall the patch,
        –Magento still not working, internal error.
        * enable the Compiler
        –Magento back to work.

        Problem is, anytime now I disable or run compilation process again, Magento dies

        Any suggest to repair this problem? thanks a lot!

        • magentary

          What is the actual error message shown when Magento dies?

          • Sean

            PHP Fatal error: Class ‘Mage_Core_Controller_Varien_Router_Admin’ not found in ./app/code/core/Mage/Core/Controller/Varien/Front.php on line 138

            Like above a lot of complain class is not found.

          • magentary

            It seems like there are local overrides on your installation in local or community pool, i.e. under ./app/code/local/Mage/Core/Controller/Varien/Front.php or other files under ./app/code/local/Mage/Core that overrides core classes. To ensure the compiler is properly disabled / cleared you can refer to
            To correct local overrides you can contact the developer who added it or revert to original core files from Magento distribution or apply patches manually, line by line for every overriding file.

          • Sean

            Appreciate your help, it looks I am in a very bad situation, two problems.

            1. even I delete the folder ‘includes’ and then create a new folder and empty config.php, them compile and enable it, it still says:
            Compiler Status: Disabled <—- never change to enable :(
            Compilation State: Compiled
            Collected Files Count: 8780
            Compiled Scopes Count: 4

            2. under ./app/code/local there is no folder named Mage, are your refer to "./app/code/core/Mage/Core" instead of "./app/code/local/Mage/Core".
            Or, my system is heavily damaged by the template.

          • magentary

            It can be permissions issue, i.e. new files are created under different user and webserver/PHP can not read or write or there is a possibility that the error occurred prior to re-compilation and all code was running from cache, so clearing cache just revealed the error. In any case, I’d suggest to pass this issue to your developer or hosting support, who have local access and can see all errors or system response to changes, so they can troubleshoot it effectively.

          • Sean

            Thanks a lot your help, great work, helped a lot. A quick feedback for others:

            my first problem of not able to change the disable state is because, I create a new empty includes/config.php which is not correct, must use an original one, which has basically 3 lines there. google ‘magento compilation state can’t enable’

            my second issue, indeed is a permission issue.

            Glad to chose Magento, and even better have you all. Thanks,

          • Sean

            One more thing I found, that when run “# php shell/compiler.php — enable”
            it always says:
            Compiler Status: Disabled
            Compilation State: Compiled
            Collected Files Count: 8780
            Compiled Scopes Count: 4

            The Compiler Status always be Disabled, I run “php shell/compiler.php — enable” a few times, even tried option in order like:

  • Ruben Schulze-Fröhlich

    Could you guys please add the patch for, too? Thanks :)

  • Amit Kumar

    Please add the Patch files for

  • chan

    The filename in your table (downloads) is incorrect for Magento & Magento It should be SUPEE-5994 instead of SUPEE-5344…
    Thanks for all your efforts !

    • magentary

      Thank you, the typo has been corrected

  • Anselme

    Thanks a lot for your files. Really helped for all those who don’t have access to SSH for various reasons (windows environnement). I’m really wondering why Magento Team does not provide the patch modified files. It’s really good that you provide them, but as a developper I was skeptical to deploy some files modified by a third party (in case you would have hidden some malicious code ) however I checked your files modifications nothing was altered in a malicious way and everything respected the diff file of the patch. But It would be good in the future that Magento give an official certification or an archive officially certified to avoid fake versions.Anyway thanks a lot.

    • magentary

      Thank you for the feedback and for the verification. I believe Magento will release generic update a bit later, so it will be possible to install it via Magento Connect. However, new version release usually is a big routine that takes a lot of resources from QA / build teams and requires some time.

  • Krista

    why don’t I have lib/PEAR folders in my install ( Am I supposed to?

  • j

    Can I use the files here from for a install?

    • magentary

      I’d suggest you to upgrade to at least, as the difference between and is a serious security fix. I personally see no reason to close one hole leave open another one.

  • basiq

    Thanks a ton, not had time to enable ssh yet and this saved me a headache. You the man!!!

  • redesigned

    Any idea where we can get the Magento 1.3 5994 patch?


    For ppl having issue with mage error, use this, helped for me

    • magentary

      The actions described there (Disable Magento Compiler) should be executed prior to patching or any code changes.

  • Amit Kumar

    I am using Magento Where can I get the Patch for this version.

  • Rajnish

    can i use Magento SUPEE-5994-1.6 FOR Magento

  • a

    hi could you please add patch for

    • magentary

      It is unlikely that I will prepare separate file for and I’d suggest you to upgrade to at least, as the only difference between and is a security fix. I personally see no reason to close one hole and to leave open another one.

      • a

        cheers, I’ll see if i can upgrade it

  • Gladdert

    Thanks again

  • Andhi Irawan

    Thank you

  • Rajnish

    I am using Magento Where can I get the Patch for this version.

  • chimera

    I am using Magento ver., which patch should I use? Thanks

  • Lukas

    How to verify that the patch was applied sucessfully?

    • Andrea

      I interested to this answer too. Thanks

  • Addictlon

    Is there a URL I can use to “wget” these zip files from the Magento document root?

    • magentary

      All URLs are listed in the table, you can use “Copy link location” from a browser’s context menu on hovering corresponding fileset.

  • Ravi Patel

    I have add this patch for magento customer registration time generate error :

    customer registration error “Please make sure your password match”. now i have change Mage/Customer/Model/Customer.php line no 844

    $confirmation = $this->getPasswordConfirmation();
    $confirmation = $this->getConfirmation();

    so this one right for code change ? thanks

    • magentary

      I personally do not believe that it can be right to upload a set files from a different version and start solving a various kind of problems afterwards if something visible got broken, so I can not help you here. It is your own battle.

      • Jonatan Machado

        I also have this problem :(

    • Jonatan Machado

      You found a solution or this and the best solution?
      That and the right thing to do?


    • Sarah

      Ravi and Jonatan, probably you’re using a module that uses the code getConfirmation. What you both should do is update the module method for the new getPasswordConfirmation.

    • Gaurav

      Any solution for this ? i have the same issue after applying this patch.

  • Amit Kumar

    Can you please add the patch for or shall I use for

    • magentary

      The filesets are prepared on demand and there were no requests for stores running so far. When we prepare files for it will be added to the table.

      • Amit Kumar

        Thank you for the info, please let me know can I use patch file for as of now.

  • lidachaulet

    I installed the files, but now get redirected to /downloader/ and the Magento Installation Wizard screen.
    What do I do now?

    • magentary

      Make sure that you have app/etc/local.xml file with connection details to database and have not deleted it on occasion or any other files under app or lib.
      Basically, the redirect to /downloader/ states that installation is incomplete which can happen only if it was incomplete before or you have deleted some files at some time.

  • Rajnish


    Fatal error: Class ‘Mage_Install_Controller_Router_Install’ not found in/home/onesma6/public_html/includes/src/__default.php on line 17475
    Please Help me urgent

    • magentary

      Please make sure to read the article from beginning, where it states that Magento Compiler should be disabled prior to installation and a link to detailed instructions on how to disable Magento Compiler and clear compiled code provided.

  • GS

    Is there a patch for Magento Is the one compatible?

  • dammika


    First like to say thank you for the good work. My webshop is But after I applied the patch and when I clicked in the catalog > manage products is going to 404 page. Any help really appreciate.

    • magentary

      It indicates that some of your modules is not handling new secure implementation of admin router correctly. For solving the issue you can try to disable compiler, flush caches and re-login to Backend. If the issue persist, the offending module should be located and either upgraded or disabled.

  • mark

    by any chance will it be possibile to have a patch for ?

    • Tupor

      I need this too.

  • Juha


    Can you upload files for SUPEE-5994 to magento Or can I just use these files?


  • SEO Slim

    Hi, why is there a serperate patch for every single version whilst Magento provides one patch for all versions? We have like 50 webshops from upto 1.9.x so this is going to take a lot of time.

    • redesigned

      Magento didn’t just release a single version. The programmatic patches can patch a range of magneto versions, so they were able to release fewer versions of the patch files, but they still had to release several versions.

      Each version of Magento has differences in its code and the files being patched.

      A patch file programmatically patches the various magento files based on diffs, it finds the code in the file to replace with the new code regardless of location of that code within the file. Even so Magento released several versions of the patch files for different version ranges based on the changes they needed to apply. A patch file has to be executed in the shell in order to be able to perform this programmatic patching.

      The pre-patched files are version specific because those are the actual files for each version of magento with the patch pre-applied to them. They aren’t interchangeable because the files are different depending on the magento version. The benefit of these is they can just be ftp’ed into the proper locations without having to be executed from the shell.

      It won’t take any more time to use one version over the other. We have a large magento user base and I’ve patched close to 300 sites now. While I prefer the programatic patch and have written my own variation, I’m also super grateful for these pre-patched versions for the few clients where ssh access isn’t possible for whatever reason.

  • JR Decal

    I followed your instruction and successfully completed for the last 2 patches. But latest one is not working.I have Magento . Is there any thing I missed. any suggestion .


  • andhiirawan

    Hi Magentary, I’m waiting for How to install SUPEE-6482 without SSH :)

  • Ciccio

    This patch for version 1.8.1 works for Magento version 1.8.0?

    Thank you

  • Adam Fabian

    do you have the patched zip files for Enterprise specifically the 1.14.2 5994 patch?

  • El

    Hi, when I want to Disable Magento Compiler, Admin panel and site are closed with such message: Fatal error: Class ‘Mage_Install_Controller_Router_Install’ not found in /home/……./public_html/includes/src/__default.php on line 17418. Would you tell me how resolve this problem? Thank you.

  • Jayme Jayme

    What a fantastic work here!!! The only issue i have left with my site is patch 7405 v1 and v1.1 for magento v1.5.1.0. Could anybody help with a zipped files so i can manually implement each file?

  • Arsenii

    Could you please add to the table SUPEE-5994 patch for Magento Thank you.