cancel
Showing results for 
Search instead for 
Did you mean: 

Security patches applied but online checker reports vulnerable

Security patches applied but online checker reports vulnerable

Hello,

 

I have successfuly patched some of my Magento installations, but I am having trouble with just 2 of them. One is 1.6.2.0 and the other is 1.7.0.2. I downloaded the respective patches:

 

For 1.6.2.0:

PATCH_SUPEE-5346_CE_1.6.1.0_v1-2015-02-10-08-12-00.sh

PATCH_SUPEE-1533_EE_1.11.x_v1-2015-02-10-08-20-01.sh

 

For 1.7.0.2:

PATCH_SUPEE-1533_EE_1.12.x_v1-2015-02-10-08-19-16.sh

PATCH_SUPEE-5345_CE_1.7.0.2_v1-2015-02-10-08-11-22.sh

 

I was given the successful message upon applied using SSH. The problem is that when I use http://magento.com/security-patch to check the installations, the online tool reports:

 

"WARNING: This site appears to be vulnerable. Please patch it immediately!"

 

I even rolled back the files and databases 1-2 months ago just to check and reapplied the patches, no joy. Then I thought maybe something was wrong with the files that are getting patched, so at the 1.6.2.0 installation, I downloaded magento v1.6.2.0 and replaced the following files with their default ones:

 

app/code/core/Mage/Adminhtml/controllers/DashboardController.php

app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php

app/code/core/Mage/Core/Controller/Request/Http.php

lib/Varien/Db/Adapter/Pdo/Mysql.php

app/code/core/Mage/Admin/Model/Observer.php

 

I tried patching again, the message was successful, but the online checker tool reports the site is vulnerable.

 

I did the following after each patching try:

1) flushed cache both from Admin and by removing /var/cache/*

2) chowned the patched files back to their own user

 

I am totally lost here, don't know what else to try. Any suggestions you be great. And one more question, is http://magento.com/security-patch checking only against SUPEE-5344 and SUPEE-1533 or for every other patch too?

 

Thank you in advance.

4 REPLIES

Re: Security patches applied but online checker reports vulnerable

Hello @nomadi

 

Please follow this blog post,

http://magecomp.com/blog/how-to-install-magento-security-patches/

 

If you still face issues, feel free to contact us, we are helping wth the patch installation to all the community members for FREE.

 

SECURITY DISCLAIMER: The above website contains Magento Security Patch files which are self-hosted by the user and as such unsafe. Magento Forum advise all users to only download patch files from the official Magento Downloads page. 

Found something useful, please give "Kudos" or "Accept as Solution" for Token of Appreciation.
Free Magento Extensions : https://magecomp.com/free-magento-extensions.html

Re: Security patches applied but online checker reports vulnerable

Hello and thank you for your answer,

 

The only thing I haven't tried and is mentioned at the page you posted is disable the Compiler. I will be sure to test it out and report back here wether that helped or not.

 

One clarification, though, the proper way of testing it now would be to:

 

1) Revert the 2 security patches using sh PATCH-name.sh -R

2) Disable the Compiler

3) Clear caches

4) Apply the 2 security patches

5) Clear caches

6) Enable the Compiler

 

Are the above steps correct both in meaning and in order?

 

Last question, I have seen back in the old days that playing with Compiler can easily mess up the installation. What happens if I eventually can't disable it?

 

Thank you a lot.

Re: Security patches applied but online checker reports vulnerable

Hello @nomadi

 

Your steps seems fine, It is very much recommanded to take backup of your website if you are installing patches directly on live website. 

Found something useful, please give "Kudos" or "Accept as Solution" for Token of Appreciation.
Free Magento Extensions : https://magecomp.com/free-magento-extensions.html

Re: Security patches applied but online checker reports vulnerable

After you install the patch you'll need to recompilie if using that feature.

 

The compiler's main job is to copy / concatenate all of your source files into a single directory so the Magento Autoloader doesn't have to parse your directory structure to see if you've overriden any of the Core file logic every time it executes a request.

 

That means you will have patched the SOURCE files, but your COMPILED files still contain the vulnerable unpatched versions.

 

Anytime you make any changes to your system (themes, extensions, patches, updates) these will updates files in your main Magento path.  The files in the includes/src/ directory (where the compiler leaves its files) will remain unchanged until you recompile or disable compilation alltogether. 

 

Let me know if this helps.  I originally thought the Magento compiler was like the ones I was used to in C or C++ or at least converting the PHP code into executable OPCodes.  Really, it's job is to just ensure that the Autoloader is more efficient:

 

https://www.byte.nl/blog/should-i-use-the-magento-compiler/