Skip links

Magento Patch: Apply SUPEE-5344 and SUPEE-1533 without SSH access

How to apply SUPEE-5344 and SUPEE-1533 without SSH

Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patchesSUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site:
https://www.magentocommerce.com/products/downloads/magento/
The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to apply SUPEE-5344 and SUPEE-1533 via SSH.
It is still possible to apply these patches even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article.
If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.
Before patching make sure to disable Magento Compiler if you use it at System > Configuration > Tools > Compilation.

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.
Patch SUPEE-1533 (Magento 1.7.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
  • app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Patched version of files for Magento 1.7.0.0-1.9.1.0 (including 1.7.0.2, 1.8.1.0 and 1.9.1.0 versions) packed into single ZIP archive: SUPEE-1533.zip. Simply unpack it and replace files on your store by uploading app folder into your Magento root directory.
Patch SUPEE-5344 (Magento 1.8.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Admin/Model/Observer.php
  • app/code/core/Mage/Core/Controller/Request/Http.php
  • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
  • app/code/core/Mage/XmlConnect/Model/Observer.php
  • lib/Varien/Db/Adapter/Pdo/Mysql.php

Patched version of these files for Magento 1.8.x.x-1.9.1.0 packed into single ZIP archive: SUPEE-5344.zip. Simply unpack it and replace files on your store by uploading app/ and lib/ folders into your Magento root.
 

Patches for other versions (1.7.0.2 and earlier)

Older versions are patched in the same way, I have combined downloads for all versions into a single table. The last column contains combined version of both patches to upload both patches at once.

Simply unpack the archive and replace files on your store by uploading app/ and lib/ folders into your Magento root directory.If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.
Verify that your store have green SAFE status at https://magento.com/security-patch
Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change.
Done.

Applying Magento patches via PHP

Upload one of PHP shells to your Magento root subfolder. Sample PHP shells are PHP Shell and phpFileManager. Just upload one of shells to your Magento site, open the shell in browser and run Magento patches in the shell provided just like via SSH.
 

Applying patches manually (by merging patches with your changes in core files)

Use this way only if you or your developers have changed core Magento files that need to be patched. Apply the changes from the diffs below line by line editing all files. Lines prefixed with a “+” (plus sign) should be added, lines prefixed with “-” (minus sign) should be removed, “@@” characters indicate position (line number and column).
Complete DIFF for SUPEE-1533 (Magento 1.7.0.0-1.9.1.0):

 
Complete DIFF for SUPEE-5344 (Magento 1.8.0.0-1.9.1.0):

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.