How to apply SUPEE-5344 and SUPEE-1533 without SSH

0
142
views
Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patches SUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site:
https://www.magentocommerce.com/products/downloads/magento/
The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to apply SUPEE-5344 and SUPEE-1533 via SSH.

Update: Make sure also to apply the latest SUPEE-5994 released on May 15, 2015.
Advertisement

It is still possible to apply these patches even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article.
If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.
Before patching make sure to Disable Magento Compiler if you use it at System > Configuration > Tools > Compilation and clear compiled cache.

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.
Patch SUPEE-1533 (Magento 1.7.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
  • app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Patched version of files for Magento 1.7.0.0-1.9.1.0 (including 1.7.0.2, 1.8.1.0 and 1.9.1.0 versions) packed into single ZIP archive: SUPEE-1533.zip. Simply unpack it and replace files on your store by uploading app folder into your Magento root directory.
Patch SUPEE-5344 (Magento 1.8.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Admin/Model/Observer.php
  • app/code/core/Mage/Core/Controller/Request/Http.php
  • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
  • app/code/core/Mage/XmlConnect/Model/Observer.php
  • lib/Varien/Db/Adapter/Pdo/Mysql.php

Patched version of these files for Magento 1.8.x.x-1.9.1.0 packed into single ZIP archive: SUPEE-5344.zip. Simply unpack it and replace files on your store by uploading app/ and lib/ folders into your Magento root.

Patches for other versions (1.7.0.2 and earlier)

Older versions are patched in the same way, I have combined downloads for all versions into a single table. The last column contains combined version of both patches to upload both patches at once.

Magento version SUPEE-5344 SUPEE-1533 COMBINED (both patches at once)
Magento 1.8.0.0-1.9.1.0 SUPEE-5344.zip SUPEE-1533.zip SUPEE-1533-5344.zip
Magento 1.7.0.0-1.7.0.2 SUPEE-5344-1.7.zip SUPEE-1533.zip SUPEE-1533-5344-1.7.zip
Magento 1.6.1.0-1.6.2.0 SUPEE-5344-1.6.zip SUPEE-1533-1.6.zip SUPEE-1533-5344-1.6.1.zip
Magento 1.6.0.0
not prepared (due to low volume)
use official .sh patch file or upgrade to nearest 1.6.2.0
Magento 1.5.1.0 SUPEE-5344-1.5.1.zip SUPEE-1533-1.5.1.zip SUPEE-1533-5344-1.5.1.zip
Magento 1.4.0.0-1.5.0.1
not prepared (due to high customization rate and overrides possibility)
use official .sh patch file
Magento 1.3
not prepared (due to high customization rate and overrides possibility)
use patch from here


Simply unpack the archive and replace files on your store by uploading app/ and lib/ folders into your Magento root directory.
If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Verification

Verify that your store have green SAFE status at http://magento.com/security-patch
Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change.
Done.