Applying & Reverting Magento Security Patches SUPEE-5344 & SUPEE-1533
So on 19th April 2015, every Magento store running a version lower than 188.8.131.52 received the inbox message about needing to apply the security patches SUPEE-5344 and SUPEE-1533.
This caused quite a stir amongst Magento store owners with many not knowing how to apply the security patches to their store, especially if they do not have SSH access to their server (this can be provided by your web host but usually only if you’re running a dedicated environment otherwise jailed SSH can be sometimes provided but with limitations).
The critical inbox message read:-
Second Reminder: Download and install Magento critical security patches now.
If you have not done so already, download and install 2 previously-released security patches (SUPEE-5344 and SUPEE-1533) from the Magento Community Edition download page (https://www.magentocommerce.com/products/downloads/magento/). These security issues affect all versions of Magento Community Edition and enable an attacker to remotely execute code on Magento software. A press release from Check Point Software Technologies tomorrow will make one of these issues widely known, possibly alerting hackers who may try to exploit it. Ensure the patches are in place as a preventative measure before the issue is publicized.
The section for patches on the Magento downloads page is not very clear at best and doesn’t indicate which versions of Magento are affected by various vulnerabilities the patches are written for.
In the same section, Magento provide the following instructions for applying patches:-
Please upload the patch into your Magento root directory and run the appropriate SSH command:
For patch files with the file extension .sh:
Example: sh PATCH_SUPEE-1868_CE_184.108.40.206_v1.sh
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Once that is done, refresh the cache in the Admin under “System > Cache Management” so that the changes will be reflected. We highly recommend you test all patches in a test environment before taking them live.
This is the procedure for applying the patches with SSH access to your server. And here are some other useful methods for those wanting to apply these patches without SSH.
We have a lot of Magento clients running versions of Magento anywhere from 1.3.X to 1.9.X. As we expected, our inboxes were pretty active about these Magento security patches last week. For most, patching them up was plain-sailing but in some instances of 1.7.X stores, we were receiving the following error message on Magento admin URL’s:-
PHP Fatal error: Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in /var/www/vhosts/domain.co.uk/httpdocs/app/code/core/Mage/Admin/Model/Observer.php on line 76
Seeing as though this was one of the files patched with SUPEE-5344 patch (or specifically, in the case of v1.7.X, it is actually SUPEE-5345), it didn’t take us long to identify this was down to the recently applied patch that had caused this.
We were generally patching with the
sh command in terminal but in the instance of this error, we reverted the patch to remove what had previously been applied and then re-ran the patch with the
bash command instead which rectified the issue (something in the patch file could only be applied with
bash rather than
sh in this particular server environment it seems).
Downloaded SUPEE-5344 for Magento CE 1.7.X from the Magento downloads page. This will download as PATCH_SUPEE-5345_CE_220.127.116.11_v1-2015-02-10-08-11-22.sh, then upload it to the Magento root.
Apply the patch with
sh in the server terminal:-
Cleared Magento cache:-
rm -rf var/cache/*
This is when we started receiving the error on the Magento URL’s…
We then reverted the patch with
sh PATCH_SUPEE-5345_CE_18.104.22.168_v1-2015-02-10-08-11-22.sh -R
Then re-applied the patch with
Don’t forget to remove the patch files from your Magento root once you have applied them.
All our hosted Magento clients, those through The Clubnet Group / ClubnetSEM will be patched as part of our hosting service at no extra cost.
You can check whether you are affected by this security vulnerability by running your domain and store admin URL through this Magento Shoplift Bug Tester tool kindly developed by byte which will return whether your store is affected and whether you need to apply the patches referenced in this post.
If your store is affected and you need some assistance, you can hire us to apply your security patches for you.
This issue (the error above) actually resurfaced a short while afterwards and although the above was mentioned by someone else on the web (using
bash instead of
sh for some server environments), in this particular instance, we found that one of the files that was being patched had a local override (/Mage/Core/Controller/Request/Http.php) so of course, as soon as the override was kicking in, the patched file wasn’t being seen. The local override was fixing another issue that is detailed in this post; Unable to Insert Uploaded Image into Content.
Will leave this post up as a reference though as it may help others still with applying the latest security patches to their Magento store.