Magento Security Patches and Common Issues while applying them

The Magento team releases patches when any vulnerability in the system is found in order to keep Magento secure and reliable. On Feb 2015, Magento has already released one critical security patch (SUPEE-5344), which was aimed to address a remote command execution. It’s been more than two months since the release and still more than 50% of all of the Magento installations worldwide have not been patched and are being open to attacks.

This means that hundreds of thousands of websites are vulnerable right now, worst yet they are Ecommerce websites that sell goods and capture personal identifiable information, including payment data in some cases. It is beyond any doubts that any security breach is a potential killer of your reputation of a trusted store and your customers’ loyalty and peace of mind.

It is hard to comprehend that there are so many unsafe Magento instances online and being a part of Magento community, we feel obliged to contribute in reducing the number of stores by sharing the information on the importance of the security patches with you and addressing the common issues that arise while applying such patches.

On 14th May 2015, Magento released a new patch – SUPEE-5994. The patch addresses to a range of issues, including scenarios where attackers can gain an access to customer information. All versions of Magento Community Edition software are impacted and Magento strongly recommends to immediately deploy this critical patch. The good news is that Magento 1.9.1.1 already includes all patches, but you will need to apply the security patch SUPEE-5994 as this security fixes have not been rolled out in a stable Magento release yet. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344 and SUPEE-1533).

What patches are included in SUPEE-5994?

SUPEE-5994 is a bundle of seven patches that resolves the following security-related issues. You can read Magento’s official notice on this below:

1. Admin Path Disclosure.

An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.

2. Customer Address Leak through Checkout.

Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers. During the checkout process, the attacker can gain an access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process. This attack can be fully automated, and a functional proof of concept exists.

3. Customer Information Leak through Recurring Profile.

This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers. The attacker just creates an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker. This attack can be fully automated, and a manual proof of concept exists.

4. Local File Path Disclosure Using Media Cache.

Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.

5. Spreadsheet Formula Injection.

Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.

6. Cross-site Scripting Using Authorize.Net Direct Post Module.

Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.

7. Malicious Package Can Overwrite System Files.

Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.

How to install SUPEE-5994?

The important question now is how to patch your Magento website. Here is the simplest guide on applying this patch on your store. We strongly recommend you to start your work with the patch from a development environment. And don’t forget to make a backup before deploying the patch onto the production environment.

First of all, make sure to Disable Magento Compiler in System > Configuration > Tools > Magento Compiler and clear the compiled cache. If you’ve installed the patch without disabling the compiler, test everything and run the compiler again. It is necessary to run the compiler in order for patches to take effect.

Step 1: Verify your Magento version

When you are working on several Magento installations you may need to determine version of every Magento site without going to Magento Backend. We use this simple shell command to check Magento version (when under Magento root directory):

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '1',

As you can see in the example above, it is Magento 1.9.1.1.

Step 2: Download the corresponding patch

Head to the Magento downloads page and download the SUPEE-5994 security patch from the Magento Community Edition Patches section. The same patches bundle applies to Magento versions 1.6.0.0 – 1.9.1.1. If you’re running an earlier version you should really consider updating your Magento as soon as possible.

Step 3: Place the patch into Magento Root directory

Once you have downloaded the correct patch for your version of Magento, upload it to your Magento root directory (this is where you will see the Magento folders like app, media, skin etc):

$ ls -1
PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
RELEASE_NOTES.txt
api.php
app
cron.php
cron.sh
downloader
errors
favicon.ico
get.php
includes
index.php
index.php.sample
install.php
js
lib
mage
media
php.ini.sample
phpmyadmin
pkginfo
shell
skin
var

It is important to place the patch file and execute it directly from the Magento root directory.

Step 4: Run the patch

Login into your server via SSH access, navigate to your Magento root directory and apply the patch as it is shown below (change the name of your patch file to match the version you have):

$ bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

This means that the patch has been successfully installed.

Step 5: Verification

Refresh your cache from the Magento Backend. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush them after patching, otherwise code will continue to run from the cache. Test that your store is working. Don’t forget to remove the patch files from your Magento root once you have applied them.

Currently, there is no way to check via third party services if SUPEE-5994 has been installed. But you can check by yourself which patches were installed in your Magento Store and which core files were modified in these patches. All patches that were installed successfully are logged into app/etc/applied.patches.list file. You can just open it in your favorite text editor to find out all installed patches. Also, you can use a few command-line shortcuts to cherry-pick some details.

To get just the list of installed patch names:

$ grep -F '|' app/etc/applied.patches.list|cut -f 2 -d'|'
SUPEE-1533 
SUPEE-5344 
SUPEE-5994

To get the list of patch names along with installation date:

$ grep -F '|' app/etc/applied.patches.list|cut -f 2,1 -d'|'
2014-12-01 07:28:34 UTC | SUPEE-1533 
2015-04-21 22:18:17 UTC | SUPEE-5344 
2015-04-22 00:44:54 UTC | SUPEE-5994 

Common issues and troubleshooting that may occur during patching:

Tool(s) “patch” is(are) missed, please install it:

sh ./PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).

Solution: As it is stated in the error message, patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have them. To install the patch on Debian/Ubuntu use:

# apt-get install patch

or

$ sudo apt-get install patch

To install patch on RedHat/CentOS/Fedora use:

# yum install patch

or

$ sudo yum install patch

ERROR: Can’t find file to patch at input line 334:

$ bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh 
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
 
patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
patching file app/code/core/Mage/Customer/Model/Customer.php
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/Install/Controller/Router/Install.php
patching file app/code/core/Mage/Install/etc/config.xml
patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
patching file downloader/Maged/Model/Connect.php
patching file downloader/Maged/View.php
patching file downloader/template/connect/packages_prepare.phtml
patching file downloader/template/messages.phtml
can't find file to patch at input line 334
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git get.php get.php
|index a7fe802..71ab535 100644
|--- get.php
|+++ get.php
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file lib/PEAR/PEAR/PEAR.php
patching file lib/PEAR/PEAR/PEAR5.php
patching file lib/Varien/Io/File.php

Solution: In the output above the patch can not find file get.php. To solve this error it should be enough to place the get.php file from Magento distribution into Magento root directory.

Patch installation error (fails on lib/PEAR/):

$ bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
patching file app/code/core/Mage/Customer/Model/Customer.php
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/Install/Controller/Router/Install.php
patching file app/code/core/Mage/Install/etc/config.xml
patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
patching file downloader/Maged/Model/Connect.php
patching file downloader/Maged/View.php
patching file downloader/template/connect/packages_prepare.phtml
patching file downloader/template/messages.phtml
patching file get.php
can't find file to patch at input line 347
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git lib/PEAR/PEAR/PEAR.php lib/PEAR/PEAR/PEAR.php
|index b4633bf..e6f8edc 100644
|--- lib/PEAR/PEAR/PEAR.php
|+++ lib/PEAR/PEAR/PEAR.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
42 out of 42 hunks ignored
patching file lib/PEAR/PEAR/PEAR5.php
patching file lib/Varien/Io/File.php

Solution: According to the output it seems like lib/PEAR/PEAR/PEAR.php does not exist in your Magento installation.

To solve the issue we would suggest to:
• obtain lib/PEAR/PEAR/PEAR.php from Magento 1.9.1.1 distribution
• backup your lib/PEAR/PEAR/PEAR.php (if there is such file somehow despite the output)
• upload original lib/PEAR/PEAR/PEAR.php to your Magento website
• apply the patch

Windows line separators (CRLF) for the files in the project:

$ bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
Hunk #1 FAILED at 68.
Hunk #2 FAILED at 113.
2 out of 2 hunks FAILED -- saving rejects to file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php.rej
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
Hunk #1 FAILED at 129.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php.rej
patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
Hunk #1 FAILED at 201.
Hunk #2 FAILED at 272.
Hunk #3 FAILED at 297.
3 out of 3 hunks FAILED -- saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php.rej
patching file app/code/core/Mage/Customer/Model/Customer.php
Hunk #1 FAILED at 273.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Customer/Model/Customer.php.rej
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
Hunk #1 FAILED at 266.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php.rej
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
Hunk #1 FAILED at 109.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php.rej
patching file app/code/core/Mage/Install/Controller/Router/Install.php
patching file app/code/core/Mage/Install/etc/config.xml
Hunk #1 FAILED at 48.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Install/etc/config.xml.rej
patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
Hunk #1 FAILED at 190.
1 out of 1 hunk FAILED -- saving rejects to file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php.rej
patching file downloader/Maged/Model/Connect.php
Hunk #1 FAILED at 100.
1 out of 1 hunk FAILED -- saving rejects to file downloader/Maged/Model/Connect.php.rej
patching file downloader/Maged/View.php
Hunk #1 FAILED at 162.
1 out of 1 hunk FAILED -- saving rejects to file downloader/Maged/View.php.rej
patching file downloader/template/connect/packages_prepare.phtml
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED -- saving rejects to file downloader/template/connect/packages_prepare.phtml.rej
patching file downloader/template/messages.phtml
Hunk #1 FAILED at 30.
1 out of 1 hunk FAILED -- saving rejects to file downloader/template/messages.phtml.rej
patching file get.php
Hunk #1 FAILED at 37.
1 out of 1 hunk FAILED -- saving rejects to file get.php.rej
patching file lib/PEAR/PEAR/PEAR.php
Hunk #1 FAILED at 6.
Hunk #2 FAILED at 52.
Hunk #3 FAILED at 92.
Hunk #4 FAILED at 101.
Hunk #5 FAILED at 153.
Hunk #6 FAILED at 173.
Hunk #7 FAILED at 192.
Hunk #8 FAILED at 212.
Hunk #9 FAILED at 227.
Hunk #10 FAILED at 262.
Hunk #11 FAILED at 276.
Hunk #12 FAILED at 331.
Hunk #13 FAILED at 369.
Hunk #14 FAILED at 394.
Hunk #15 FAILED at 411.
Hunk #16 FAILED at 425.
Hunk #17 FAILED at 437.
Hunk #18 FAILED at 455.
Hunk #19 FAILED at 521.
Hunk #20 FAILED at 538.
Hunk #21 FAILED at 565.
Hunk #22 FAILED at 673.
Hunk #23 FAILED at 708.
Hunk #24 FAILED at 732.
Hunk #25 FAILED at 744.
Hunk #26 FAILED at 777.
Hunk #27 FAILED at 798.
Hunk #28 FAILED at 817.
Hunk #29 FAILED at 835.
Hunk #30 FAILED at 868.
Hunk #31 FAILED at 881.
Hunk #32 FAILED at 907.
Hunk #33 FAILED at 959.
Hunk #34 FAILED at 974.
Hunk #35 FAILED at 988.
Hunk #36 FAILED at 1002.
Hunk #37 FAILED at 1016.
Hunk #38 FAILED at 1038.
Hunk #39 FAILED at 1050.
Hunk #40 FAILED at 1065.
Hunk #41 FAILED at 1104.
Hunk #42 FAILED at 1115.
42 out of 42 hunks FAILED -- saving rejects to file lib/PEAR/PEAR/PEAR.php.rej
patching file lib/PEAR/PEAR/PEAR5.php
patching file lib/Varien/Io/File.php
Hunk #1 FAILED at 226.
1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Io/File.php.rej

Solution: The problem was in the different line separators for files in the project and default Magento. Changing line separators to LF (Unix and Mac OS) has fixed this issue.

ERROR: Patch can’t be applied/reverted successfully:

$ bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

Solution: You’re getting this error because your installation might be missing the folder downloader which is placed in the Magento root folder. Just get this folder back in your installation and the patch should work just as fine.

If you have any issues or errors while applying Magento security patches, or you have questions related to this topic, let us know in comments – we will try to help you! Make your Magento store more secure, and let keep hackers away from it.

Read more – Reset an administrator password or add a Magento admin user using MySQL