On February 9th, 2015, the Magento team provided a patch to close a security gap in the Magento core. Many blogs and websites have only recently become aware of this. You won't find any detailed information about the patch. We already reported about it: “ Magento warns of remote code execution exploit ”, but we would now like to give another update.
The vulnerability allows access to the server
A serious security flaw was discovered in the Magento Core, learn about the Comparison Between Magento and Shopify, with which it is possible for an attacker to gain access to the entire Magento instance or to save files on the server.
Magento versions 1.4 to 1.9 affected
The patch “SUPEE-5344 - Addresses a potential remote code execution exploit” is available for all Magento versions. The patch should be installed as soon as possible if it is not already.
Import Magento patch
There are three ways to apply the patch. In rack:: SPEED blog two instructions to find:
Importing the Magento patch via SSH:
Download the appropriate patch from Magentocommerce.com (at the bottom)
Upload the patch to the public_html folder
sh PATCH- FILENAME.sh
rm var / cache / * -rf
Applying the patch without SSH:
Download the appropriate patch from Magentocommerce.com (at the bottom)
Open the patch in the text editor
Manual application of the patch: Lines in the patch with a minus (-) are removed, lines with a plus (+) are added. The file names to be edited are located above the changed lines.
Clear all caches to apply the changes: System> Cache Management
Another possibility was published in the Commerce blog, namely to execute the shell commands via PHP (does not work on all server environments):
Applying the patch with SSH via PHP:
Download the appropriate patch from Magentocommerce.com (at the bottom)
Create a PHP file named patch.php
Insert the following content:
<? php $ shell command = "sh patch.sh";
$ shellCommand = escapeshellcmd ($ shellCommand);
exec ($ shell command, $ nu);
print_r ($ nu);
?>
Copy the created patch.php together with the downloaded patch.sh file into the root directory of the shop
Call up the patch.php file via the browser
Error or success message appears
Delete both files from the server again
