Magento Security Check & Patch Tester & Vulnerability scanner

At this page you can check if your store is vulnerable to the most recent security issues and verify Magento security patches installation on your store.

To check Magento security patches applied enter Frontend URL of your store:

 

For details on applying patches please refer to articles tagged with patch tag or use our patch installation service.

  • Tom Calpin

    Hey Magentary, this tool is brilliant, thanks.
    One thing I’m getting when testing one shop is ‘Path disclosure: Magento root directory leaked:’, but it seems safe with all the other tests. Which vulnerability does this warning relate to?
    Thanks

    • Rashid

      Make sure that phpinfo file does not exists.

      • Brian Sirois

        what do you mean ? theres a phpinfo.php file in the public_html ? should I remove it ?

        • Rashid

          Yep. I had the same issue.

  • Jayme Jayme

    SUPEE-6788: Unknown, can not determine patch status.

    What does this mean? according to another patch tester, it is saying 6788 is installed and OK.

  • Sejda Hajji

    i need to integrate this tool in my laravel 5.2 application how can i do this can any one give me the source code thank you in advance

  • Emma Natacha Bernard Schneider

    After PAtch installation, Slider on homepage is lost!! How to reset the patch????

    • magentary

      To fix slider you may need to whitelist slider blocks after patch installation or correct the extension as per release notes/known issues section in instructions. To revert patch you can use –revert option for patch script or rollback all files replaced, depending on the way you applied the patch.

    • Michel Van de Wiel

      Hello Emma, Reset a patch is not very easy, also you need to remove something in the database! Can you tell me which package you want to Remove ?

  • Aaron McGuire

    I’m getting SUPEE-6788 is not installed, however it is. The others report it too. Not sure why this doesn’t catch it…

    • magentary

      Most likely SUPEE-6788 is applied against default theme only (by default only base and default themes are patched) and custom theme is still unpatched. You can refer to https://magentary.com/kb/magento-registration-form-does-not-work-after-supee-6788/ and https://magentary.com/kb/reset-password-blank-page-after-supee-6788/ for details on patching custom theme.

      • Aaron McGuire

        Thanks for the reply – are there any other possible patches required in the custom theme directory? Registration was previously patched and I am not overriding the password reset template.

        • Aaron McGuire

          You got me going on the right track and likely resolved issues I hadn’t received reports on yet, so thank you. I found the missing edit that your tester was catching:

          /app/design/frontend/YOUR_PACKAGE/YOUR_THEME/template/customer/form/resetforgottenpassword.phtml

          – <form action="getUrl(‘*/*/resetpasswordpost’, array(‘_query’ => array(‘id’ => $this->getCustomerId(), ‘token’ => $this->getResetPasswordLinkToken()))); ?>” method=”post” id=”form-validate”>
          + <form action="getUrl(‘*/*/resetpasswordpost’); ?>” method=”post” id=”form-validate”>

          Thanks for your help!

          -edit: sorry about the code formatting :/

  • Phonix Team

    Hello, thank you for your work, very professional and quick. thank you!

    Greetings from Switzerland
    Phonix Team

  • Jason Riner

    Hello, thank you very much for providing everyone with these. Regarding SUPEE-7405, how is that tested? For some reason despite applying the patch and triple checking everything, it keeps failing for some of our sites while others are ok. Magento 1.7.0.2 version passed successfully, but 1.8.1.0 and 1.9.1.0 do not. I’ve checked our custom templates as well to ensure those are updated, which they are. Any ideas?

    • Jason Riner

      I should also note that all of the sites check out fine for that patch on another tool

    • magentary

      Thank you for the notification about it. We have recently found false-positive triggering of SUPEE-7405 in some cases, like multi-stores or non-default path of default store view. It should be corrected now.

  • Spring Katze

    Good job.
    Unpatch store with morphed obfuscated code is not detected.

  • niceguys23

    is there no good automated tool to check against security vulnerabilities? it seems that extensions / modules can be very abusive and very easily “patch” abusive code into some core functionalities of magento…