cancel
Showing results for 
Search instead for 
Did you mean: 

Applying critical security patch - Safe now?

Applying critical security patch - Safe now?

Hey everyone!
Before I continue I will point out I can be quite derp when it comes to this stuff, so it is a slow learning curve but im getting there!

Long story short, I just downloaded the SUPEE-5344 and SUPEE-1533, put them into my root directory, used putty to run both the patches and I got the sucsessful message (Patch was applied successfully).

 

Anyway, me being the paranoid freak that I am -- how can I be sure that I done this 100% correctly and that there is no longer that security threat allowing an attacker to remotely execute code on Magento software?

 

Cheers!
Cam

24 REPLIES 24

Re: Applying critical security patch - Safe now?

You have two more steps after applying the patch

 

  1. recompile if you have the compiler turned on
  2. clear your cache so it reloads the code

and in that order...

 

Sites have been hacked because the site owner forgot those two important steps, kind of like rebooting a Windows system to make sure the updates installed.

 

As to verifying that it installed, I have a look at app/etc/applied.patches.list to see what files were mangled (ahem, patched), compare them against the same files from a fresh dearchived copy of the code for my current Magento version to make sure that the patches were applied to the files. This is done using a Linux command line program called diff or in a programmer's text editor like TextPad which has a built in file diff utility.

 

Since the patch files are cyborg readable, you can discern what was supposed to happen => - is removed, + is added

 

Magento consists solely of manual checks for most of this stuff, it's an ecommerce platform built by programmers, for programmers.

Re: Applying critical security patch - Safe now?

Cam,

have you tried this test:

 

https://shoplift.byte.nl/

Re: Applying critical security patch - Safe now?

Hi,

 

You may check out Github Diff for versions 1.7.x-1.9.x to know what was changed and have patched version fo core files.

Re: Applying critical security patch - Safe now?

Cheers guys.

 

@chiefair

I did flush my magento cache via admin panel, however I didn't recompile (not sure how to/wether compiler is turned on)
I'll look into that today -- Is it okay (if my compiler is turned on) to just recompile and clear the cache again? Or should I remove/readd the patches?

 

Oh god why did I choose magento haha im very far from a programmer xD

 

@IKdR
The link didn't work dude.

@sashas7777
Cheers! I'll look into it.

I really appreciate the help everyone Smiley Happy

Re: Applying critical security patch - Safe now?

You may try this link as well:

 

http://magento.com/security-patch

 

I don`t know, why you could not open my other link, worked fine for me....

 

IKDR

Re: Applying critical security patch - Safe now?

I'm having difficulty trying to get the byte.nl site and the magento security check thing to give my site a passing grade.  I've applied the patch, cleared out my caches many many times, restarted apache, regenerated the compiled files, tried disabling compilation but both sites still tell me I'm at risk.  My Request/Http.php has the $_internallyForwarded flag in it which I understand is the fix for it, but what do I need to do for it to pass the tests?

Re: Applying critical security patch - Safe now?

Hi,

 

If you have compilation enabled you need to disable cache and compilcation before patch. After patch you have to recompile it.

And please keep backp copy of files. SOmetimes compilation may show errors.

 

Thanks

Re: Applying critical security patch - Safe now?

Does that mean I have to reverse the patch, disable cache and compilation, re-apply the patch, and then recompile?

Re: Applying critical security patch - Safe now?

For sure you need to disable cache and try to recompile compilation.

Then check if site shows passed result. If store will be broken because of compilation you can disable it manually at the file: includes/config.php - comment out the two define function calls

##define('COMPILER_INCLUDE_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'src');
#define('COMPILER_COLLECT_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'stat');