Critical Magento Security Updates (SUPEE-5344 / SUPEE-1533)

Magento sent Community Edition website owners into panic this week with a stern red notice appearing in the admin area of all CE installs.

The full notification reads as follows;

Critical Reminder: Download and install Magento security patches. Download now.

Download and implement 2 important security patches (SUPEE-5344 and SUPEE-1533) from the Magento Community Edition download page. If you have not done so already, download and install 2 previously-released patches that prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition. A press release from Check Point Software Technologies in the coming days will make one of these issues widely known, possibly alerting hackers who may try to exploit it. Ensure the patches are in place as a preventative measure before the issue is publicized.

A follow up notification was sent the next day, to further remind Magento site owners of the need to install the two patches.

Magento Community Edition Patches

SUPEE-5344 and SUPEE-1533 security patches both address potential remote code execution exploits.

SUPEE-1533 fixes a potential vulnerability that could allow an attacker:

• to execute arbitrary code on your Magento server.
• to create files with a .csv extension, create writable directories, and change the permission of existing files to world-writable (777).

More information on patch SUPEE-1533 can be found in this Magento document.

Installing Magento security patches

The Magento commerce website provides the following advice on how to install a security patch.

Please upload the patch into your Magento root directory and run the appropriate SSH command:

For patch files with the file extension .sh:

sh patch_file_name.sh

Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh

For patch files with the file extension .patch:

patch –p0 < patch_file_name.patch

Once that is done, refresh the cache in the Admin under “System > Cache Management” so that the changes will be reflected.

We highly recommend you test all patches in a test environment before taking them live.

Magento & SSH commands

Not all hosting CPanels will allow you direct access to SSH, so you may need to ask your hosting company to run these commands for you. To use SSH you’ll need to use software like PuTTY which will help you to create a key combination, to securely access your server.

Before installing the patches take a backup of the site files and database.

Further Magento patch articles

• Magento – SUPEE-5994 – can’t find file to patch at input line 347
• Magento – reverting a security patch
• Magento – Patch SUPEE-6482

Further Help

If you don’t feel confident running SSH commands on your Magento server, we’re happy to help. Give us a ring or send us contact form message and we’ll patch your site for you.