Applying Magento CE SUPEE-6285 Security Patch (July 2015)

by Geoff Jackson · Published July 8, 2015 · Updated July 22, 2015

On 7th July 2015, Magento released a critical security patch (SUPEE-6285) that addresses the following security issues:-

It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.

It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.

Before you apply this patch to your Magento store, you must have already applied patch SUPEE-5994 which was released on 14th May 2015. This will ensure that the patch works properly.

Applying & Installing Patch SUPEE-6285

Head to the Magento Downloads page and download the SUPEE-6285 security patch from the ‘Magento Community Edition Patches’ section. This patch is required from versions 1.6.0.0 to 1.9.1.1. If you upgrade your Magento CE version to 1.9.2.0, then this patch is already included.

Once you have downloaded the correct patch for your version of Magento, upload it to your Magento root (this is where you will see the Magento folders like app, media, skin etc).

Then SSH into your server (check this out for applying this patch if you don’t have SSH access) in your preferred method, navigate to your Magento root and apply the patch like below (change the name of your patch file to match the version you have):-

sh PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh

1	sh PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh

This will return whether the patch was applied/reverted successfully (if you receive any errors, feel free to leave a comment below with details). Hopefully, all should be good.

Be sure to clear your Magento cache after applying the patch:-

rm -rf var/cache/*

1	rm -rf var/cache/*

Don’t forget to remove the patch files from your Magento root once you have applied them.

Please note

This patch makes changes to template files (listed below). If the theme your Magento store is using overrides any of these files, then you would have to manually go into each one and make the necessary update(s):-

/checkout/cart.phtml
/checkout/cart/noItems.phtml
/checkout/onepage/failure.phtml
/rss/order/details.phtml
/wishlist/email/rss.phtml

If you have removed the default Magento modern theme from your Magento installation, you will receive an error like the below:-

can't find file to patch at input line 899
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
|index 982ad5a..2bf6b37 100644
|--- app/design/frontend/default/modern/template/checkout/cart.phtml
|+++ app/design/frontend/default/modern/template/checkout/cart.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored

can't find file to patch at input line 899

Perhaps you used the wrong -p or --strip option?

The text leading up to this was:

--------------------------

|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml

|index 982ad5a..2bf6b37 100644

|--- app/design/frontend/default/modern/template/checkout/cart.phtml

|+++ app/design/frontend/default/modern/template/checkout/cart.phtml

--------------------------

File to patch:

Skip this patch? [y]

Skipping patch.

1 out of 1 hunk ignored

You will need to upload the modern theme (this patch only requires the frontend design files) which you can grab from here (make sure you get the copy for the version of Magento you are running. Once you have successfully applied the patch, you may remove the modern theme again if you wish.

Please find below a list of the changes to template files, as well as any other manual interactions your store may require post patch SUPEE-6285 courtesy of Ben at Sonassi:-

There’s a series of changes you need to make in addition to just running the patch.

I’ve used the 1.9.1.1 patch as an example here, but sadly, the patches differ dependent on release.

Custom template files

If you have modified or overridden the base/default template with your own package/design, then you’ll need to manually apply the patches as necessary to the following.

In app/design/frontend/base/default/template/checkout/cart.phtml,

- <button type="button" title="<?php echo $this->__('Continue Shopping') ?>" class="button btn-continue" onclick="setLocation('<?php echo $this->getContinueShoppingUrl() ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button> + <button type="button" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Continue Shopping')) ?>" class="button btn-continue" onclick="setLocation('<?php echo Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl()) ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>

1
2
3

- <button type="button" title="<?php echo $this->__('Continue Shopping') ?>" class="button btn-continue" onclick="setLocation('<?php echo $this->getContinueShoppingUrl() ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>
+ <button type="button" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Continue Shopping')) ?>" class="button btn-continue" onclick="setLocation('<?php echo Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl()) ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>

In app/design/frontend/base/default/template/checkout/cart/noItems.phtml,

- <p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', $this->getContinueShoppingUrl()) ?></p> + <p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())) ?></p>

1
2
3

- <p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', $this->getContinueShoppingUrl()) ?></p>
+ <p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())) ?></p>

In app/design/frontend/base/default/template/checkout/onepage/failure.phtml

-<p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', $this->getContinueShoppingUrl()) ?></p> +<p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())) ?></p>

1
2
3

-<p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', $this->getContinueShoppingUrl()) ?></p>
+<p><?php echo $this->__('Click <a href="%s">here</a> to continue shopping.', Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())) ?></p>

In app/design/frontend/base/default/template/rss/order/details.phtml,

- <?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br /> - <?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br /> + <?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?> + <?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br /> + <?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />

1
2
3
4
5
6

- <?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br />
- <?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br />
+ <?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?>
+ <?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br />
+ <?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />

In app/design/frontend/base/default/template/wishlist/email/rss.phtml,

- <?php echo $this->__("RSS link to %s's wishlist",$this->helper('wishlist')->getCustomerName()) ?> + <?php echo $this->__("RSS link to %s's wishlist", Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())) ?>

1
2
3

- <?php echo $this->__("RSS link to %s's wishlist",$this->helper('wishlist')->getCustomerName()) ?>
+ <?php echo $this->__("RSS link to %s's wishlist", Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())) ?>

In app/design/frontend/default/modern/template/checkout/cart.phtml,

- <button type="button" title="<?php echo $this->__('Continue Shopping') ?>" class="button btn-continue" onclick="setLocation('<?php echo $this->getContinueShoppingUrl() ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button> + <button type="button" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Continue Shopping')) ?>" class="button btn-continue" onclick="setLocation('<?php echo Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl()) ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>

1
2
3

- <button type="button" title="<?php echo $this->__('Continue Shopping') ?>" class="button btn-continue" onclick="setLocation('<?php echo $this->getContinueShoppingUrl() ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>
+ <button type="button" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Continue Shopping')) ?>" class="button btn-continue" onclick="setLocation('<?php echo Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl()) ?>')"><span><span><?php echo $this->__('Continue Shopping') ?></span></span></button>

.htaccess rules

If you aren’t using a .htaccess compatbile web server, then you’ll need to manually add the following deny rules.

For Nginx,

location /downloader/Maged/ { deny all; } location /downloader/lib/ { deny all; }

1
2
3

location /downloader/Maged/ { deny all; }
location /downloader/lib/   { deny all; }

File permissions

If the user of your web server PHP process isn’t the owner of the document root and relies on group permissions, and the var/report or var/log directories are removed – you will encounter issues with the new default file permissions.

Eg. In the following scenario,

PHP User: www-data Doc Root User: sonassi Doc Root Group: www-data www-data members: sonassi, www-data

1
2
3
4
5

PHP User:        www-data
Doc Root User:   sonassi
Doc Root Group:  www-data
www-data members: sonassi, www-data

The revised default file permissions of 0750, will strip write permissions from the group – which will prohibit your web server from being able to write to the directory.

Equally, if you rely on the everyone permission, all access will be stripped.

Need any help?

All our hosted Magento clients, those through The Clubnet Group / ClubnetSEM will be patched as part of our hosting service at no extra cost.

If your store is affected and you need some assistance, you can hire us to apply your security patches for you.

Update 13/07/2015

If you had previously applied security patch SUPEE-6285 for Magento 1.9.0.0, 1.9.0.1, 1.9.1.0 or 1.9.1.1 before 9th July 2015, then there were some patches omitted in the patch you applied and you will need to revert that patch and download the new updated version from Magento (labelled as v2).

The omitted patches are on responsive web design (RWD) themes for XSS.

Tags: bash patches security ssh

Geoff Jackson

Geoff Jackson (more commonly known by his online pseudonym zigojacko) is the founder of Design Haven and The Clubnet Group which hosts numerous agencies including the most widely recognised of them, Clubnet Digital, a full service digital marketing and creative design/development agency. He also has a personal blog but it doesn't get updated as much as he'd like.