JUL 07 2015

How to install SUPEE-6285 without SSH

According to announce sent on July 7, 2015 to all Magento installations new security patch SUPEE-6285 should be installed in addition to the previous Magento security patch (SUPEE-5994).

July 7, 2015: New Magento Security Patch (SUPEE-6285) – Install Immediately
Today we are providing a new security patch (SUPEE-6285) that addresses critical security vulnerabilities. The patch is available for Community Edition 1.4.1 to and is part of the core code of our latest release, Community Edition 1.9.2, available for download today. PLEASE NOTE: You must first implement SUPEE-5994 to ensure SUPEE-6285 works properly. Download Community Edition 1.9.2 or the patch from the Community Edition download page: https://www.magentocommerce.com/products/downloads/magento/

If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482). If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article.

Please note, that the patch (SUPEE-6285) should be applied over SUPEE-5994, therefor all filesets prepared in this article provide both patches (SUPEE-5994 & SUPEE-6285) simultaneously. The fileset also will update one file from SUPEE-5344 (app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php), therefor make sure to apply SUPEE-5344 before this patch.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Before patching make sure to Disable Magento Compiler if you use it at System > Configuration > Tools > Compilation and clear compiled cache.

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.

SUPEE-6285 patch (Magento applied to the following files:

  • app/Mage.php
  • app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php
  • app/code/core/Mage/Adminhtml/Controller/Action.php
  • app/code/core/Mage/Adminhtml/controllers/AjaxController.php
  • app/code/core/Mage/Adminhtml/controllers/Catalog/Category/WidgetController.php
  • app/code/core/Mage/Adminhtml/controllers/Catalog/Product/DatafeedsController.php
  • app/code/core/Mage/Adminhtml/controllers/Catalog/Product/ReviewController.php
  • app/code/core/Mage/Adminhtml/controllers/Catalog/Product/WidgetController.php
  • app/code/core/Mage/Adminhtml/controllers/Cms/Block/WidgetController.php
  • app/code/core/Mage/Adminhtml/controllers/Cms/Page/WidgetController.php
  • app/code/core/Mage/Adminhtml/controllers/Cms/PageController.php
  • app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php
  • app/code/core/Mage/Adminhtml/controllers/Customer/System/Config/ValidatevatController.php
  • app/code/core/Mage/Adminhtml/controllers/JsonController.php
  • app/code/core/Mage/Adminhtml/controllers/NotificationController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/CustomerController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/ProductController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/ReviewController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/SalesController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/ShopcartController.php
  • app/code/core/Mage/Adminhtml/controllers/Report/TagController.php
  • app/code/core/Mage/Adminhtml/controllers/ReportController.php
  • app/code/core/Mage/Adminhtml/controllers/Rss/CatalogController.php
  • app/code/core/Mage/Adminhtml/controllers/Rss/OrderController.php
  • app/code/core/Mage/Adminhtml/controllers/Sales/Billing/AgreementController.php
  • app/code/core/Mage/Adminhtml/controllers/Sales/Order/View/GiftmessageController.php
  • app/code/core/Mage/Adminhtml/controllers/Sales/Recurring/ProfileController.php
  • app/code/core/Mage/Adminhtml/controllers/Sales/TransactionsController.php
  • app/code/core/Mage/Adminhtml/controllers/System/Config/System/StorageController.php
  • app/code/core/Mage/Adminhtml/controllers/TagController.php
  • app/code/core/Mage/Adminhtml/controllers/Tax/RateController.php
  • app/code/core/Mage/Adminhtml/controllers/TaxController.php
  • app/code/core/Mage/Api2/controllers/Adminhtml/Api2/AttributeController.php
  • app/code/core/Mage/Bundle/controllers/Adminhtml/Bundle/SelectionController.php
  • app/code/core/Mage/Captcha/controllers/Adminhtml/RefreshController.php
  • app/code/core/Mage/Centinel/controllers/Adminhtml/Centinel/IndexController.php
  • app/code/core/Mage/Checkout/controllers/MultishippingController.php
  • app/code/core/Mage/Connect/controllers/Adminhtml/Extension/LocalController.php
  • app/code/core/Mage/ImportExport/Model/Abstract.php
  • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
  • app/code/core/Mage/Paygate/controllers/Adminhtml/Paygate/Authorizenet/PaymentController.php
  • app/code/core/Mage/Paypal/controllers/Adminhtml/Paypal/ReportsController.php
  • app/code/core/Mage/Rss/controllers/CatalogController.php
  • app/code/core/Mage/Rss/controllers/OrderController.php
  • app/code/core/Mage/Widget/Block/Adminhtml/Widget/Chooser.php
  • app/code/core/Mage/Widget/controllers/Adminhtml/WidgetController.php
  • app/design/frontend/base/default/template/checkout/cart.phtml
  • app/design/frontend/base/default/template/checkout/cart/noItems.phtml
  • app/design/frontend/base/default/template/checkout/onepage/failure.phtml
  • app/design/frontend/base/default/template/rss/order/details.phtml
  • app/design/frontend/base/default/template/wishlist/email/rss.phtml
  • app/design/frontend/default/modern/template/checkout/cart.phtml
  • downloader/Maged/.htaccess
  • downloader/Maged/Controller.php
  • downloader/Maged/Model/Session.php
  • downloader/lib/.htaccess
  • downloader/template/connect/packages.phtml
  • downloader/template/connect/packages_prepare.phtml
  • downloader/template/login.phtml
  • downloader/template/settings.phtml
  • errors/processor.php

UPDATE from July 10, 2015: added one more file to the list according to v2 patch update released by Magento:

  • app/design/frontend/rwd/default/template/checkout/cart.phtml

SUPEE-5994 patch adds the following files:

  • app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
  • app/code/core/Mage/Customer/Model/Customer.php
  • app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
  • app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
  • app/code/core/Mage/Install/Controller/Router/Install.php
  • app/code/core/Mage/Install/etc/config.xml
  • app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
  • downloader/Maged/Model/Connect.php
  • downloader/Maged/View.php
  • downloader/template/connect/packages_prepare.phtml
  • downloader/template/messages.phtml
  • get.php
  • lib/PEAR/PEAR/PEAR.php
  • lib/PEAR/PEAR/PEAR5.php
  • lib/Varien/Io/File.php

Patched version of these files for Magento packed into single ZIP archive: SUPEE-6285-1.9.1v2. Simply unpack it and replace files on your store by uploading all folders and get.php file into your Magento root directory.

Patch for other versions

Older versions are patched in the same way, I am adding downloads for other versions into a single table on demand when I need to patch certain version:

Magento versionSUPEE-6285 (+SUPEE-5994)

* – included v2 update from July 10, 2015 for cart.phtml file from RWD theme


Verify patch status at our patch tester page.

If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it (or restart webserver) after patching, otherwise code will continue to run from caches.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.


Update: Make sure also to apply the latest SUPEE-6482 released on August 4, 2015.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

Posted in: Magento Maintenance

How to install SUPEE-6285 without SSH
68 votes, 4.91 avg. rating (97% score)
  • Frederik

    Thank you, you’re ready-made patches are always a great help with servers which have no SSH access or missing patch tools!

  • Peter Vowels

    I would like to thank you as well. What you do is a godsend …

  • Cristian

    Can you please post the patch for version 1.6 please?

    • Mage 1.6.2 User

      Yes please – I second that!

      Apart from that – thank you again for supplying the patch(ed) files!

      Regards from Switzerland

  • Verner

    Thank you! Can you please also provide the patch for release?

  • Mark

    Hi, Can someone help with the following

    /var/www$ sh ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh

    ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 14: ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 127: not found

    ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 14: ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 127: not found

    ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 25: ./PATCH_SUPEE-6285_CE_1.8.1.0_v1-2015-07-07-09-06-30.sh: 0: not found

    Checking if patch can be applied/reverted successfully…

    -e ERROR: Patch can’t be applied/reverted successfully.

    I also had two files fail

    patching file app/design/frontend/base/default/template/checkout/cart.phtml

    Hunk #1 FAILED at 98.

    1 out of 1 hunk FAILED — saving rejects to file app/design/frontend/base/default/template/checkout/cart.phtml.rej

    atching file downloader/Maged/Controller.php

    Hunk #4 succeeded at 451 (offset -5 lines).

    Hunk #5 FAILED at 1120.

    1 out of 5 hunks FAILED — saving rejects to file downloader/Maged/Controller.php.rej

    I have manually installed the 2 files and now get

    patching file app/design/frontend/base/default/template/checkout/cart.phtml

    Reversed (or previously applied) patch detected! Assume -R? [n]

    Apply anyway? [n]

    Skipping patch.

    1 out of 1 hunk ignored — saving rejects to file app/design/frontend/base/default/template/checkout/cart.phtml.rej

    Skipping patch.

    1 out of 1 hunk ignored — saving rejects to file app/design/frontend/base/default/template/checkout/cart.phtml.rej

    patching file downloader/Maged/Controller.php

    Reversed (or previously applied) patch detected! Assume -R? [n]

    Apply anyway? [n]

    Skipping patch.

    5 out of 5 hunks ignored — saving rejects to file downloader/Maged/Controller.php.rej

    • Mark

      processed manually thanks to the manual file above thanks

  • Ton de Visser

    Thanks again, the patch works great again. Just tried to update from to but that wasn’t a great idea, luckely my back-up worked and with your patch everything running smooth again.

  • muzafar

    Thank you! Can you please provide this patch for release?

  • Sam

    Hi guys, great work!

    Can you guys post the patch for version (Or would – fall under this?)


    • Thomas

      Yes please seconded, Thank you!

    • magentary require separate fileset, it has been added to the table.

  • Ahmed Tushar

    Thanks for great work again! Which zip file i will use for version you didn’t mention in Magento version.

  • Steve

    Any chance for please? I would massively appreciate it!!! Many thanks

  • vinod khajja

    Please provide patches for Magento community edition ver. . Many Thanks

  • Gary

    I installed the patch 6285 two days ago and got the email from magento today to revert the patch and install v2. problem is i don’t have shh access to i used the zip file. Do i really need to revert the previous version of can i simply download the file and upload the following directory

    Thanks a mill!!

    • magentary

      It should be sufficient to upload app/design/frontend/rwd/default/template/checkout/cart.phtml on top of it, there only changes in v2 are in this file. Btw, the download table is updated to v2 versions.

      • Gary

        Wow thanks for getting back to me so quickly. So I might as well just re-upload the entire v2 file? forgive my ignorance but what is ‘the download table’?

        • magentary

          Yes, you can re-upload the whole v2 fileset if needed, all links in the article are up to date. The download table I was referring to is just a table in the article above with links to zipped filesets:

          • Gary

            Sorry blond moment… great did it there and all worked smoothly. Thanks so much!!

  • vinod khajja

    Any chance for please? ! Many thanks

  • jewel

    Hi there, i added the files and now can’t get into my admin page. I get this message instead

    Front controller reached 100 router match iterations

    and get 4 lines of errors underneath. Please help if you can. I applied the previous patches with no problem.

  • Rajnish Malakar

    Could you please provides us Patch for And

  • algodat

    Is there a chance to test, if the patch was sucessful ?

  • aln85

    I need to patch version will the patch cover this?

    • adam688

      Did you try it out? Any result? It seems it is not working for us.

  • resende99

    Amazing job! Can we use SUPEE-6285-1.6.2 for Magento 1.6.1?

  • Prabu Prasath

    Hi please provide patch file for Magento version

    • magentary

      For EE versions please contact your Magento representatives

  • Dan Vince

    hi any chance of getting this for

    • resende99

      The pack seems to be working just fine for as well.

  • Peter

    Great Work! Is it possible for get a patch for

  • Daniel C


    Thank you for all the PATCHES in the first place!

    Magento ver.

    I installed all the PATCHES about 3 weeks ago, and now in the admin backend the CMS > STATIC BLOCKS and PAGES looks something like this only when I access a page or a static block to modify: http://screencast.com/t/Vurq9c8DmcX
    Any idea of what cause this?
    Maybe the modifications below?





    Thanks in advance!

    • magentary

      I would suggest to check PHP error log files for fatal PHP errors, as it looks like pages are just not finished on generation by PHP engine due to some reason (fatal errors, memory shortage, syntax error in PHP code). The PHP error log should give exact reason.
      As for the patches relation, it depends on implementation. The patches itself can not cause it, only if some files were not copied, or there are core class overrides in code of extensions or local code pool, or compiler cache was not cleared.

      • Daniel C

        Thank you for fast reply!

        Compiler is DISABLE chace Cleared many times.

        Only error I got is this

        [02-Oct-2015 06:17:02 UTC] PHP Fatal error: Class ‘Varien_Data_Collection_Filesystem’ not found in /public_html/app/code/core/Mage/Widget/Model/Widget/Config.php on line 85

        and on line 85 its says something like:

        * Return list of existing widget image placeholders
        * @return array
        public function getAvailablePlaceholderFilenames()
        $result = array();
        $targetDir = $this->getPlaceholderImagesBaseDir();
        if (is_dir($targetDir) && is_readable($targetDir)) {
        $collection = new Varien_Data_Collection_Filesystem(); addTargetDir($targetDir)
        foreach ($collection as $file) {
        $result[] = $file->getBasename();

        return $result;

        • Daniel C

          Another error in the system.log is:

          2015-10-02T06:17:02+00:00 ERR (3): Warning: include(Varien/Data/Collection/Filesystem.php): failed to open stream: No such file or directory in public_html/lib/Varien/Autoload.php on line 93
          2015-10-02T06:17:02+00:00 ERR (3): Warning: include(): Failed opening ‘Varien/Data/Collection/Filesystem.php’ for inclusion (include_path=’public_html/app/code/local:public_html/app/code/community:public_html/app/code/core:/public_html/lib:.:/usr/lib/php:/usr/local/lib/php’) in /public_html/lib/Varien/Autoload.php on line 93

          • magentary

            according to the log it can not find /lib/Varien/Data/Collection/Filesystem.php file

          • Daniel C

            Thank you man for open my eyes :). I am not a coder and don’t know much about coding.

            I checked that path and yes, that filesystem.php was not there, but it was filesystem.php.suspected . I don’t know how that file end up there.
            I uploaded a clean Filesystem.php and now everything is fine, I can see all the data on on CMS> Pages and Static Blocks content.
            Now, I don’t know if I have to delete that filesystem.php.suspected , what do you recommend?

            Thanks again for the infos you provide us!

  • Anurag Khandelwal

    Those who are asking for this patch for magento v1.8.0.0,
    Take the patch for magento v1.8.1.0 and do not include these files:
    1. downloader/Maged/Controller.php
    2. downloader/Maged/Model/Session.php
    3. downloader/template/connect/packages.phtml
    4. downloader/template/connect/packages_prepare.phtml
    5. downloader/template/login.phtml
    6. downloader/template/settings.phtml

    • Ashwani

      But these files does not present in magento v1.8.1.0 patch. Please suggest.

      • Anurag Khandelwal

        You have mistaken man, those files mentioned are present in bare magento Please check again

  • adam688

    Thanks for your great work. Can I install patch on ? Also Can I install patch on ?

    Also we can not upgrade our Magento higher version, due to the high risk. Pls help us out here, thanks for your support.

  • Rob Rasmussen

    Any chance of Pretty please? :-)