How to apply Magento security patches SUPEE-1533, SUPEE-5344 and SUPEE-5994 without SSH

How to apply Magento security patches SUPEE-1533, SUPEE-5344 and SUPEE-5994 without SSH

Magento Imagine 2015 has bought many good news for Ecommerce industry, worldwide. People all over the world had gathered for this conference. About 30% of the Ecommerce store trusts Magento. Magento framework is becoming the other name for Ecommerce store. But at the same time, Magento are on verge of solving serious security vulnerabilities through patches. Recently, they have released SUPEE-5994. Before days, they made a crucial move for solving security issues through release of patches SUPEE-1533 and SUPEE-5344.

Why the vulnerability was serious?

Every vulnerability should be marked as a serious issue because it harms the store by some or the other way. Talking about the vulnerability, Netanel Rubin ”“ the one who found the hole conveyed that it would risk over 2,30,000 magento stores, since the hole resulted in accessing the Admin rights of the store. And, once you get the Admin rights, you become the owner of that particular Ecommerce store. From customer’s information to credit card data you can remotely access each and every aspect of the store.

From Hacker’s point of view:

Ӣ Hacked Magento Store can be used as an attacker for accessing other sites.
Ӣ Hacker could host hacked magento site as a phishing site to our server.
”¢ Intercept the data from the hacked store and selling the same resulting into complete disclosure of the store’s information.

Feasible Solutions:

The solution for the vulnerability is available at Magento connect marketplace whereby you need to download the patch. The patch contains .sh file which needs to get executed through SSH credentials. This requires technical expertise and a precise communication between the developer and a store admin. Thus, a small mishap can lead to a greater vulnerability.

Let’s take the Milople’s way ”“ the easy way:

We found that the security patches ”“ SUPEE 1533, SUPEE 5344 and SUPEE-5994 mainly affects the below mentioned files from Magento:

Changes made through patch SUPEE 1533:

Ӣ app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
Ӣ app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Changes made through patch SUPEE 5344:

Ӣ app/code/core/Mage/Admin/Model/Observer.php
Ӣ app/code/core/Mage/Core/Controller/Request/Http.php
Ӣ app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
Ӣ app/code/core/Mage/XmlConnect/Model/Observer.php
Ӣ lib/Varien/Db/Adapter/Pdo/Mysql.php

Changes made through patch SUPEE 5994:

Ӣ app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
Ӣ app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
Ӣ app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
Ӣ app/code/core/Mage/Customer/Model/Customer.php
Ӣ app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
Ӣ app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
Ӣ app/code/core/Mage/Install/Controller/Router/Install.php
Ӣ app/code/core/Mage/Install/etc/config.xml
Ӣ app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
Ӣ downloader/Maged/Model/Connect.php
Ӣ downloader/Maged/View.php
Ӣ downloader/template/connect/packages_prepare.phtml
Ӣ downloader/template/messages.phtml
Ӣ get.php
Ӣ lib/PEAR/PEAR/PEAR.php
Ӣ lib/PEAR/PEAR/PEAR5.php
Ӣ lib/Varien/Io/File.php

Steps to follow:

Ӣ Take backup of your Magento store
Ӣ Download the zip applicable to your store from the below mentioned table:

Magento Version SUPEE ”“ 1533 SUPEE ”“ 5344 SUPEE – 5994
Magento 1.9.1.1 SUPEE-1533-1.9.zip SUPEE-5344-1.9.zip SUPEE-5994-1.9.1.1.zip
Magento 1.9.1.0 – 1.9.0.1 SUPEE-1533-1.9.zip SUPEE-5344-1.9.zip SUPEE-5994-1.9.1.0.zip
Magento 1.8.1.0 SUPEE-1533-1.8.zip SUPEE-5344-1.8.zip SUPEE-5994-1.8.1.zip
Magento 1.7.0.2 SUPEE-1533-1.7.zip SUPEE-5344-1.7.zip SUPEE-5994-1.7.0.2.zip
Magento 1.6.1.0 ”“ 1.6.2.0 SUPEE-1533-1.6.zip SUPEE-5344-1.6.zip SUPEE-5994-1.6.zip
Magento 1.5.1.0 SUPEE-1533-1.5.1.zip SUPEE-5344-1.5.1.zip SUPEE-5994-1.5.1.zip
Magneto 1.4.2.0 SUPEE-5994-1.4.2.zip
Magento 1.4.1.0 ”“ 1.4.1.1 SUPEE-5994-1.4.1.zip

Ӣ Unzip the downloaded file and paste the same under the Magento root directory.

NOTE: After installing the security patch SUPEE-5994, it is advisable to change the default admin path for security concerns.

Steps to change the default admin path:

Ӣ Go to app/etc/ under your Magento root directory
Ӣ Open local.xml file
Ӣ Search for the following code:

<admin>
<routers>
<adminhtml>
<args>
<frontName><![CDATA<[admin]]></frontName>
</args>
</adminhtml>
</routers>
</admin>

”¢ Change Admin pathname to any other string of your choice. Here, we are changing the admin path name from “admin” to “milople”

<admin>
<routers>
<adminhtml>
<args>
<frontName><![CDATA[milople]]></frontName>
</args>
</adminhtml>
</routers>
</admin>

Ӣ Flush Magento cache
Ӣ Access your backend via new URL. Here, the new URL would be https://mystorename.ex/milople/

If you find any hazards in changing your admin path or installing the patches, feel free to Contact Milople or ping us with your queries in the comment section mentioned below.

How to make your store secured enough?

  • Make sure, to apply the patches on your Ecommerce store
  • Always have the upgraded version of Magento. Contact Milople for further queries on the same.
  • Keep yourself updated with the latest news on Magento and read Ecommerce relevant blogs.

Still worried about the patch?

After following the above mentioned steps, check whether the patch is installed successfully or not or whether the store is bug free or not by entering your Magento Ecommerce store URL on any of the below mentioned web url’s:

Ӣ https://shoplift.byte.nl/ and
Ӣ http://magento.com/security-patch

If you don’t get the optimistic reply after installing the patch, submit your queries in the comment section below.

Thus, you are done with the vulnerability issue and can now have the complete security to your Magento Store. Feel free to contact us or give us your valuable comments in the below noted comment section.

Install Magento Supee patch without SSH and secure your Magento store from potential attacks Click To Tweet
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
16 Comments
  1. Will these file downloads work on any version of Magento? I have version Magento ver. 1.4.2.0 CE for example. I notice on the the site there are separate patch scripts for each version.

    1. Hello Robin,
      Our patch is only applicable for the Magento version 1.7 to 1.9. However, you can Contact Milople for the patch compatible with your Magento version 1.4.2.0 CE.

  2. Hello,
    I use Magento ver. 1.9.0.1, so can I use the patch SUPEE-5994-1.9.1.0.zip?
    Thanks in advance

    1. Yes sure, you can use SUPEE-5994-1.9.1.0 patch and secure your Magento store. Contact Us if you find any issue regarding its use.

  3. Hi,

    Can you upload files for SUPEE-5994 to magento 1.8.0.0? Or can I just use these 1.8.1.0 files?

    Thanks.

    1. Hello Juha, surely you can use Magento 1.8.1.0 files. Contact Us if you find any query regarding its installation.

  4. Hi i am using windows server hosting and i want to install security patch how can i do this .

    1. Hello Kush, you can use the same technique as described in our blog. Simply use your FTP to install patches for windows server.

  5. Hello, Thank you for your nice tutorial. according to this tutorial and reading security patches by coding , they made changes in few coding, May I open the file path and update the recent coding directly? , What security patches installation do? Does it change the coding when we install by ssh command?

    Please Guide Me
    Many Thanks
    Vishwa

    1. Hello Vishwa,
      Glad to know this tutorial helped. You can implement code changes directly in file but there are chances of errors to be raised, so I would recommend you to replace the file provided. Secondly, security patches protects Magento installation against several potential threats and secure your store from hacks and vulnerabilities. When you install patches by SSH command, it replaces the code in file rather than replacing the whole file.

      1. Hello Milople

        Thank you for your Help, we have two magento website one for live and another for Development environment , Our mangento current version is 1.9.0.1 there is lot of Security patches which one i should use , we haven’t update Security patches yet, this is first , May i install all security patches is it raise any problem? Could you please provide me SSH command ?

        Many Thanks
        Vishwa

        1. Hello Vishwa,
          You need to install all security patches in older to newer turn. If you have made any change in Magento core, it may create some issues for you. but you can definitely ask us for any queries or help.
          For Installation of patch with SSH:

          • Download the latest patch SUPEE 5944 from the Official Magento website: https://www.magentocommerce.com/products/downloads/magento/
          • Upload the downloaded patch file in the root of your Magento, Make sure it has full permissions to execute.
          • Make sure compiler has been disabled, (if enabled and patches installed then may show errors)
          • Install the patches using SSH (if you have access, if you don’t have ask your hosting provider to give)
          • Run the command: sh file_name.sh
            Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh
          • Clear the Cache
          • Refresh your cache from the Magento admin, Don’t forget to refresh your OPcode or APC cache as well! (If you’ll not clear cache, it can create issue for you)
Leave a reply

Your email address will not be published. Required fields are marked *