Magento 1.x Knowledge Base » Magento Maintenance » How to install SUPEE-6788 without SSH
Published: October 28, 2015
Last updated:

How to install SUPEE-6788 without SSH

Tags: ,
October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more at http://magento.com/security/patches/supee-6788
If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.2.2 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788). If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article. Before applying this patch, make sure to apply all previous patches. If you wish to save time and have us to install these patches for you, simply click here to order installation.

Preparations

Warning: This patch may break some third-party modules that makes extensive use of custom variables and custom admin routes. Refer to community maintained list of all known incompatible extensions.

    Applying Magento patches via FTP/sFTP or FileManager / File Upload

    To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes. The following files are changed by SUPEE-6788: 
    .htaccess
.htaccess.sample
app/code/core/Mage/Admin/Model/Block.php
app/code/core/Mage/Admin/Model/Resource/Block.php
app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
app/code/core/Mage/Admin/Model/Resource/Variable.php
app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
app/code/core/Mage/Admin/Model/Variable.php
app/code/core/Mage/Admin/etc/config.xml
app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php
app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php
app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php
app/code/core/Mage/Adminhtml/etc/adminhtml.xml
app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php
app/code/core/Mage/Core/Controller/Front/Action.php
app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
app/code/core/Mage/Core/Helper/UnserializeArray.php
app/code/core/Mage/Core/Model/Email/Template/Filter.php
app/code/core/Mage/Core/Model/Resource/Setup.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/etc/system.xml
app/code/core/Mage/Customer/Block/Account/Changeforgotten.php
app/code/core/Mage/Customer/Block/Account/Resetpassword.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Downloadable/Model/Product/Type.php
app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Mage/Sales/controllers/DownloadController.php
app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php
app/design/adminhtml/default/default/layout/admin.xml
app/design/frontend/base/default/layout/customer.xml
app/design/frontend/base/default/template/customer/form/register.phtml
app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml
app/design/frontend/base/default/template/persistent/customer/form/register.phtml
app/design/frontend/default/iphone/layout/customer.xml
app/design/frontend/default/modern/layout/customer.xml
app/design/frontend/rwd/default/layout/customer.xml
app/design/frontend/rwd/default/template/customer/form/resetforgottenpassword.phtml
app/design/frontend/rwd/default/template/persistent/customer/form/register.phtml
cron.php
dev/tests/functional/.htaccess
errors/processor.php
lib/Unserialize/Parser.php
lib/Unserialize/Reader/Arr.php
lib/Unserialize/Reader/ArrKey.php
lib/Unserialize/Reader/ArrValue.php
lib/Unserialize/Reader/Bool.php
lib/Unserialize/Reader/Dbl.php
lib/Unserialize/Reader/Int.php
lib/Unserialize/Reader/Str.php
lib/Varien/Data/Collection/Db.php
lib/Zend/Xml/Security.php
    To install the patch via FTP/File Upload
    • select patch bundle archive corresponding to your Magento version from the table below and unpack it
    • upload all files and folders to Magento root directory of your store, replacing all files
    • delete dev/tests/functional/.htaccess from your store (if exists)
    Downloads for other versions added to table on demand when we patch certain version via file upload for the first time.
    Magento versionSUPEE-6788
    Magento 1.9.2.1SUPEE-6788-1.9.2.1
    Magento 1.9.2.0SUPEE-6788-1.9.2.0
    Magento 1.9.1.1SUPEE-6788-1.9.1.1
    Magento 1.9.1.0SUPEE-6788-1.9.1.0
    Magento 1.9.0.1SUPEE-6788-1.9.0.1
    Magento 1.8.1.0SUPEE-6788-1.8.1.0
    Magento 1.8.0.0SUPEE-6788-1.8.0.0
    Magento 1.7.0.2SUPEE-6788-1.7.0.2
    Magento 1.6.2.0SUPEE-6788-1.6.2.0
    Magento 1.6.1.0SUPEE-6788-1.6.1.0
    Magento 1.5.1.0SUPEE-6788-1.5.1.0

    Verification and flush of PHP opcode cache

    Verify patch status at our patch tester page. Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

    Post-installation

    Warning: Secure Admin routing for extensions is not applied by default after patch installation. To take all advantages of the patch Admin routing compatibility mode should be Disabled at System > Configuration > Admin > Security > Admin routing compatibility mode for extensions.
    You can disable it as shown below:
    Enabling Secure Admin Routing for extensions
    Disabling Secure Admin Routing compatibility mode for extensions
    Warning: This feature may break some (about ~80% at the moment) third-party extensions from working as expected. Make sure to update all third-party extensions, disable and uninstall any unused extensions and request an extension upgrades from developers if it does not work with this feature enabled..
    Additionally, if your store still use default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.

    Known issues

    If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

    Posted in: Magento Maintenance

    Related Posts

    70 votes, 4.59 avg. rating (91% score)