Before I continue I will point out I can be quite derp when it comes to this stuff, so it is a slow learning curve but im getting there!
Long story short, I just downloaded the SUPEE-5344 and SUPEE-1533, put them into my root directory, used putty to run both the patches and I got the sucsessful message (Patch was applied successfully).
Anyway, me being the paranoid freak that I am -- how can I be sure that I done this 100% correctly and that there is no longer that security threat allowing an attacker to remotely execute code on Magento software?
You have two more steps after applying the patch
and in that order...
Sites have been hacked because the site owner forgot those two important steps, kind of like rebooting a Windows system to make sure the updates installed.
As to verifying that it installed, I have a look at app/etc/applied.patches.list to see what files were mangled (ahem, patched), compare them against the same files from a fresh dearchived copy of the code for my current Magento version to make sure that the patches were applied to the files. This is done using a Linux command line program called diff or in a programmer's text editor like TextPad which has a built in file diff utility.
Since the patch files are cyborg readable, you can discern what was supposed to happen => - is removed, + is added
Magento consists solely of manual checks for most of this stuff, it's an ecommerce platform built by programmers, for programmers.
You may check out Github Diff for versions 1.7.x-1.9.x to know what was changed and have patched version fo core files.
I did flush my magento cache via admin panel, however I didn't recompile (not sure how to/wether compiler is turned on)
I'll look into that today -- Is it okay (if my compiler is turned on) to just recompile and clear the cache again? Or should I remove/readd the patches?
Oh god why did I choose magento haha im very far from a programmer xD
You may try this link as well:
I don`t know, why you could not open my other link, worked fine for me....
I'm having difficulty trying to get the byte.nl site and the magento security check thing to give my site a passing grade. I've applied the patch, cleared out my caches many many times, restarted apache, regenerated the compiled files, tried disabling compilation but both sites still tell me I'm at risk. My Request/Http.php has the $_internallyForwarded flag in it which I understand is the fix for it, but what do I need to do for it to pass the tests?
If you have compilation enabled you need to disable cache and compilcation before patch. After patch you have to recompile it.
And please keep backp copy of files. SOmetimes compilation may show errors.
Does that mean I have to reverse the patch, disable cache and compilation, re-apply the patch, and then recompile?
For sure you need to disable cache and try to recompile compilation.
Then check if site shows passed result. If store will be broken because of compilation you can disable it manually at the file: includes/config.php - comment out the two define function calls
##define('COMPILER_INCLUDE_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'src'); #define('COMPILER_COLLECT_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR.'stat');