OCT 28 2015

How to install SUPEE-6788 without SSH

October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately Today, we are releasing a new patch (SUPEE-6788) and Community Edition to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more at http://magento.com/security/patches/supee-6788
If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788). If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article. Before applying this patch, make sure to apply all previous patches. If you wish to save time and have us to install these patches for you, simply click here to order installation.


Warning: This patch may break some third-party modules that makes extensive use of custom variables and custom admin routes. Refer to community maintained list of all known incompatible extensions.

    Applying Magento patches via FTP/sFTP or FileManager / File Upload

    To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes. The following files are changed by SUPEE-6788:
    To install the patch via FTP/File Upload
    • select patch bundle archive corresponding to your Magento version from the table below and unpack it
    • upload all files and folders to Magento root directory of your store, replacing all files
    • delete dev/tests/functional/.htaccess from your store (if exists)
    Downloads for other versions added to table on demand when we patch certain version via file upload for the first time.
    Magento versionSUPEE-6788

    Verification and flush of PHP opcode cache

    Verify patch status at our patch tester page. Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.


    Warning: Secure Admin routing for extensions is not applied by default after patch installation. To take all advantages of the patch Admin routing compatibility mode should be Disabled at System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
    You can disable it as shown below:
    Enabling Secure Admin Routing for extensions
    Disabling Secure Admin Routing compatibility mode for extensions
    Warning: This feature may break some (about ~80% at the moment) third-party extensions from working as expected. Make sure to update all third-party extensions, disable and uninstall any unused extensions and request an extension upgrades from developers if it does not work with this feature enabled..
    Additionally, if your store still use default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.

    Known issues

    If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

    Posted in: Magento Maintenance

    How to install SUPEE-6788 without SSH
    57 votes, 4.59 avg. rating (91% score)
    • Marco Ajon

      is there a Supee 6788 for Magento Version for those without SSH?

      • magentary

        Bundle for was recently added to the table

        • Marco Ajon

          Thank you!

    • Leo Lee

      any chance of getting this for Thank you!

      • Marc Hoover

        I second this…

        • Designer Visions

          Please let me know asap. can we use patch without ssh in

          • Marc Hoover

            Same here.

          • magentary

            Have not patched yet any installation, so have not checked it yet.

            • Designer Visions

              i have receive a request form magento community to update the path so can you give me the path zip folder . so i will update the path without ssh.

    • Michael Chan

      Admin routing compatibility mode for extensions is set to “Enable” for me automatically after I apply the patch and the little text under it said “Enabling this setting increases risk of automated attacks against admin functionality.”

      So are we suppose to keep this “Enable” or “Disable”

      • magentary

        Admin routing compatibility mode setting should be set to Disabled to take all advantages of secured admin routing provided in patch.

    • Tarun Patel


      I need to installed Magento Security Patch (SUPEE-6788) for Magento ver.

      can you please advise me which are used from above one ?


    • Wagner Nicolak

      I tried to install the patch via FTP in version . Replaces the files correctly by doing step by step. I changed the option in the Admin Secure Routing for Disabled. And likewise , I consulted the safety of the site and still appears that Patch 6788 is not installed. But someone with the same problem ?

      Updated the magento through the Connect to the version and continues accusing the lack of Patch 6788 .

      But someone with the same problem ?

      • magentary

        it can be due to “register.phtml” and “resetforgottenpassword.phtml” templates in your theme that are still unpatched

        • Wagner Nicolak

          I had forgotten to change the files in the template, which is based on RWD. And besides, I use a custom module for the customer registration. Just changed the row for “form-key” (hidden). And the problem is remedied. Thank you for the answer.

    • Tong Lin

      can I use Magento’s one for Magento ?

      • magentary

        No, it would not work, version require own patch bundle.

    • Shilpa Ingenious

      In magento There is no option for “Admin routing compatibility mode for extensions”. Without this option Can I install new patch 6788 ?

      • magentary

        The option is added only after SUPEE-6788 installation. It is expected that there are no such option prior to the patch installation.

    • Jürgen

      After uploading the files for I got an error. It’s in the picture below.
      Is this my fault and how could I remove this mistake?

      • magentary

        As shown in the error message, magestore/bannerslider extension causing SQL syntax error. You can disable the extension or request extension upgrade from developers to solve it.

    • Leo

      Updated via FTP following the steps.
      But testing on the test site it says that 6788 is not applied
      Any suggestion?

      • Lucas

        Check the “register.phtml” and “resetforgottenpassword.phtml”….
        For me was that…

      • Manuel

        Same here. After patch upload for Magento 1.8.1 your testing tool can’t recognize the previous installed patches. There is only “Unknown, can not determine patch status.” for SUPEE-5344, SUPEE-6285, SUPEE-6482 and SUPEE-6788. Which I have definitely installed.

    • volker

      I tried to apply the patch via script and get an error:
      [[email protected] httpdocs]# sh PATCH_SUPEE-6788_CE_1.8.1.0_v1-2015-10-26-11-59-27.sh /?
      Checking if patch can be applied/reverted successfully…
      ERROR: Patch can’t be applied/reverted successfully.

      patching file .htaccess
      can’t find file to patch at input line 38
      Perhaps you used the wrong -p or –strip option?
      The text leading up to this was:
      |diff –git .htaccess.sample .htaccess.sample
      |index b8821af..383313a 100644
      |— .htaccess.sample
      |+++ .htaccess.sample

    • Lukas

      Worked well on magento no bugs after installation. Thanks again!

      • Lukas

        Just one problem appeared the form_key hidden input field doesnt show up in my frontend. I added updated file to my template but it doesnt work. Do i have to reload cache?

        • Lukas

          Found a resolution. I had to update customer/form/register.phtml AND persistent/customer/form/register.phtml files. If not the patch would show up as not installed on magereport and the register-form won’t work.

    • Christian

      Can you please upload the files for version ?

    • owenpiccirillo

      After upload, I am still getting the error in the check page: SUPEE-6788: Vulnerable, immediate attention required.

      How do I flush or restart to get this working:

      Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

    • http://ethniccode.com/ Haya India

      I am planning to update the extensions and theme first and then apply the patch? Is this approach ok?

    • Tere

      Hello, you’re going to upload the version ?
      Is on the Magento website but I need to apply for files. Thank you!!

      • Tim

        2nd that. Please 1.5.1 Version!

    • Faye Pinner

      Hi There

      I am just reviewing the files, which I will be replacing as apart of the SUPEE-6788 patch.

      However I have noticed that the some of the file paths are different in the SUPEE-6788 update, compared to my cPanel.

      Some of the folders / files do not exist on my cPanel. I just want to be sure how to manage this issue.

      I have a pretty limited knowledge of Magento and this will be my first security patch update.

      The main issues are the following file paths:

      In SUPEE-6788 as:
      However the folder “Block” does not exist inside the Permissions Folder on my cPanel

      In SUPEE-6788 as:
      However the folder “Variable” does not exist inside the Permissions Folder on my cPanel

      In SUPEE-6788 as:
      However the folder “Unserialize” does not exist on my cPanel

      In SUPEE-6788 as:
      However the folder “Xml” does not exist inside Zend on my cPanel

      Should I be creating new folders within my cPanel to match the SUPPE-6788 file paths? Or what should I be doing?

      Other issues include:
      In your list of files affected as:
      However the folder “rwd” does not exist on my cPanel or inside the SUPEE-6788 Download
      In your list of files affected as:
      However the Folder “Front” does not exist in the SUPEE-6788 download

      In your list of files affected as:
      However no updated file for cron.php exists in the SUPEE-6788 Download

      In your list of files affected as:
      However the folder “dev” does not exist on my cPanel or inside the SUPEE-6788 download

      Also these files do not currently exist on my cPanel, should I just save them there although I will not be replacing any files?





      Sorry if this is overwhelming, I just want to be super careful.


    • Bogdan

      Hello, you’re going to upload the version ?
      Is on the Magento website but I need to apply for files. Thank you!!

    • Chewster

      I also would like to place a request for the 1.6.2 patch bundle

    • Lukas

      Can it be that app/code/core/Mage/Admin/sql/admin_setup/upgrade- is missing?

    • Gladdert

      After instal the SUPEE-6788- for my magento 1.7.02 this error appeared

      a:5:{i:0;s:237:”Error in file: “/var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Admin/sql/admin_setup/upgrade-” –
      SQLSTATE[42S01]: Base table or view already exists: 1050 Table ‘permission_variable’ already exists”;i:1;s:1173:”
      #0 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/Resource/Setup.php(644): Mage::exception(‘Mage_Core’, ‘Error in file: …’)
      #1 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/Resource/Setup.php(437): Mage_Core_Model_Resource_Setup->_modifyResourceDb(‘upgrade’, ‘’, ‘’)
      #2 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/Resource/Setup.php(320): Mage_Core_Model_Resource_Setup->_upgradeResourceDb(‘′, ‘’)
      #3 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/Resource/Setup.php(235): Mage_Core_Model_Resource_Setup->applyUpdates()
      #4 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/App.php(417): Mage_Core_Model_Resource_Setup::applyAllUpdates()
      #5 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/code/core/Mage/Core/Model/App.php(343): Mage_Core_Model_App->_initModules()
      #6 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/app/Mage.php(683): Mage_Core_Model_App->run(Array)
      #7 /var/www/vhosts/biodiesel.nl/httpdocs/parasoldoek/index.php(106): Mage::run(‘nl’, ‘store’)
      #8 {main}”;s:3:”url”;s:32:”/parasoldoek/index.php/kokosnoot”;s:11:”script_name”;s:22:”/parasoldoek/index.php”;s:4:”skin”;s:7:”default”;}

    • newbie

      I replaced the files for version But after replacing the files I cannot acces my shop anymore.
      I am getting the installation wizard. What I am doing wrong?

    • Michel Post

      Can we use SUPEE-6788- for Magento Or is there a separate version coming for Magento

    • Zuiko

      Hello, I saw that the patch has been published til 1.4.0
      could it be available without SSH for (at least) please ?
      Thank you very much in advance.

    • Zuiko

      Could it be possible to get the files for ?
      Thanks a lot.

    • devteam

      SQLSTATE[42S22]: Column not found: 1054 Unknown column ‘CONCAT(lastname, ‘ ‘, firstname)’ in ‘where clause’

      #0 /home/cosmetic/public_html/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
      #1 /home/cosmetic/public_html/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
      #2 /home/cosmetic/public_html/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)
      #3 /home/cosmetic/public_html/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(‘SELECT COUNT(*)…’, Array)
      #4 /home/cosmetic/public_html/lib/Varien/Db/Adapter/Pdo/Mysql.php(428): Zend_Db_Adapter_Pdo_Abstract->query(‘SELECT COUNT(*)…’, Array)
      #5 /home/cosmetic/public_html/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array)
      #6 /home/cosmetic/public_html/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array)
      #7 /home/cosmetic/public_html/lib/Varien/Data/Collection.php(225): Varien_Data_Collection_Db->getSize()
      #8 /home/cosmetic/public_html/lib/Varien/Data/Collection.php(211): Varien_Data_Collection->getLastPageNumber()
      #9 /home/cosmetic/public_html/lib/Varien/Data/Collection/Db.php(522): Varien_Data_Collection->getCurPage()
      #10 /home/cosmetic/public_html/lib/Varien/Data/Collection/Db.php(569): Varien_Data_Collection_Db->_renderLimit()
      #11 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Widget/Grid.php(533): Varien_Data_Collection_Db->load()
      #12 /home/cosmetic/public_html/app/code/local/Inno/Adminhtml/Block/Sales/Order/Grid.php(24): Mage_Adminhtml_Block_Widget_Grid->_prepareCollection()
      #13 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Widget/Grid.php(626): Inno_Adminhtml_Block_Sales_Order_Grid->_prepareCollection()
      #14 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Widget/Grid.php(632): Mage_Adminhtml_Block_Widget_Grid->_prepareGrid()
      #15 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(862): Mage_Adminhtml_Block_Widget_Grid->_beforeToHtml()
      #16 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(582): Mage_Core_Block_Abstract->toHtml()
      #17 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(526): Mage_Core_Block_Abstract->_getChildHtml(‘grid’, true)
      #18 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Widget/Grid/Container.php(77): Mage_Core_Block_Abstract->getChildHtml(‘grid’)
      #19 /home/cosmetic/public_html/app/design/adminhtml/default/default/template/widget/grid/container.phtml(36): Mage_Adminhtml_Block_Widget_Grid_Container->getGridHtml()
      #20 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(241): include(‘/home/cosmetic/…’)
      #21 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView(‘adminhtml/defau…’)
      #22 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
      #23 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Template.php(81): Mage_Core_Block_Template->_toHtml()
      #24 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Widget/Container.php(308): Mage_Adminhtml_Block_Template->_toHtml()
      #25 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(863): Mage_Adminhtml_Block_Widget_Container->_toHtml()
      #26 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml()
      #27 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(863): Mage_Core_Block_Text_List->_toHtml()
      #28 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(582): Mage_Core_Block_Abstract->toHtml()
      #29 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(526): Mage_Core_Block_Abstract->_getChildHtml(‘content’, true)
      #30 /home/cosmetic/public_html/app/design/adminhtml/default/default/template/page.phtml(74): Mage_Core_Block_Abstract->getChildHtml(‘content’)
      #31 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(241): include(‘/home/cosmetic/…’)
      #32 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView(‘adminhtml/defau…’)
      #33 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
      #34 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/Block/Template.php(81): Mage_Core_Block_Template->_toHtml()
      #35 /home/cosmetic/public_html/app/code/core/Mage/Core/Block/Abstract.php(863): Mage_Adminhtml_Block_Template->_toHtml()
      #36 /home/cosmetic/public_html/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml()
      #37 /home/cosmetic/public_html/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput()
      #38 /home/cosmetic/public_html/app/code/core/Mage/Adminhtml/controllers/Sales/OrderController.php(95): Mage_Core_Controller_Varien_Action->renderLayout()
      #39 /home/cosmetic/public_html/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_Adminhtml_Sales_OrderController->indexAction()
      #40 /home/cosmetic/public_html/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch(‘index’)
      #41 /home/cosmetic/public_html/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
      #42 /home/cosmetic/public_html/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
      #43 /home/cosmetic/public_html/app/Mage.php(683): Mage_Core_Model_App->run(Array)
      #44 /home/cosmetic/public_html/index.php(87): Mage::run(”, ‘store’)
      #45 {main}

      Error log record number: 1420504705103

      I got this error trying to filter orders by name in Magento do you have any soultion?

    • Zuiko

      do you schedule to provide us the files for the version ?
      (available as patch on Magento website but not here as files)
      Thank you a lot.

      • Tere


    • Airsea

      Dear sirs,
      we downloaded the patch SUPEE-6788 bundle archive corresponding to our Magento version
      and identified some folders are missing according to your (+ expand source) table,
      namely: Front/Action.php on row 024, rwd/default on rows 046, 047, 048, and lib/Zend/Xml/Security.php at the last row.

      Is there missing something? Or the information on the expand source table is for other Magento versions?

      Thank you for your attention, looking forward to hearing from you!

      • magentary

        Information in file listing under the expand source table corresponds to Magento version. Older versions have slightly different set of files.

        • Airsea

          Dear Magentary,
          we thank you for the response and clarification.

          Thank you for your attention !

    • Jagdish Ram

      I updated the patch file for Magento, and found the issues as I checked the file app/code/core/Mage/Customer/Model/Session.php the function have authenticate() has the $action->setRedirectWithCookieCheck(Mage_Customer_Helper_Data::ROUTE_ACCOUNT_LOGIN, Mage::helper(‘customer’)->getLoginUrlParams());

      Here “setRedirectWithCookieCheck” functions does not exists in Magento, as well does not exists Mage_Customer_Helper_Data::ROUTE_ACCOUNT_LOGIN & Mage::helper(‘customer’)->getLoginUrlParams() in Magento, so getting the issues on login redirection etc,
      Please confirm that the patch files provided by you SUPEE-6788- are correct version patch files?

      • magentary

        app/code/core/Mage/Customer/Model/Session.php is not changed in SUPEE-6788- file, there is no such file in the archive as well as there is no any reference to setRedirectWithCookieCheck function. Please make sure that you have downloaded correct file.

    • Zuiko

      No news about version ? Just a little bit of effort please ;-) or a method to do it…

    • Tere

      Please 1.4 version! :p

    • Yaniv Nir

      Hi, I did patch the SUPEE-6788.
      When I scan the site on your “Magento Security Patch Tester” it say the patch not installed. When I check it on http://www.magereport.com it is saying patch is installed. I have to say that the theme developer added some changes to the theme because of magento changed after patch applying like system-permissions-blocks

    • Joelton

      Thank you very much! Work for me! My magento Version is and have so much issues.

    • Tan KianBoon

      I am on Magento
      Unzip SUPEE-6788- and I do not see this file –> lib/Zend/Xml/Security.php
      Please advise.

    • eric

      Hi there, I’ve installed supee 6788, and now I can’t log into the backend. How it is possible? my magento version is and we did all the patches before this one.
      I need help.