Magento released a new security patch SUPEE-6788 on Oct 27, 2015 which address 10+ security issues, including remote code execution and information leak vulnerabilities. A new Magento community edition 1.9.2.2 also released which comes with all these vulnerabilities fixes included. This patch is not related to Guruincsite malware infection in thousands of magento website worldwide. Its strongly recommended to install this patch in a development environment first as it can effect several popular extensions and customization.

 

How to apply SUPEE-6788 security patch to your magento

Update magento – Upgrading your magento to Magento 1.9.2.2 will include all security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788) released by magento so far.

Apply Security Patch to your version – By some reason if magento upgrade is not possible you can apply this security patch via FTP/sFTP upload as shown in this article.

Before applying this patch to magento, make sure you apply all previous security patches for your version of magento.

Getting ready to install SUPEE-6788 –

Cautions – SUPEE-6788 can possibly break some third party extensions those uses custom variables and custom admin routes. Checkout if you are using any such extension by verifying it on the community maintained list of incompatible extension.

  • Update all third-party extensions, disable and uninstall any unused extensions.
  • Disable Magento Compiler and clear compiler cache
  • Install all previous patches (namely, SUPEE-1533, SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482)

Applying Magento patch via FTP/sFTP or FileManager / File Upload –

Next step is to upload these files in respective folder on the server using FTP or sFTP. If you have changed any core magento file (not recommended at all though) from the above list, you need to reply your changes to this new patch file and upload it on the server.

Steps To install the patch via FTP/File Upload –

  • Select patch bundle archive corresponding to your Magento version from the table below and unpack it
  • upload all files and folders to Magento root directory of your store, replacing all files
  • delete dev/tests/functional/.htaccess from your store (if exists)

Patch for all magento version –

Magento version SUPEE-6788
Magento 1.9.2.1 SUPEE-6788-1.9.2.1
Magento 1.9.2.0 SUPEE-6788-1.9.2.0
Magento 1.9.1.1 SUPEE-6788-1.9.1.1
Magento 1.9.1.0 SUPEE-6788-1.9.1.0
Magento 1.9.0.1 SUPEE-6788-1.9.0.1
Magento 1.8.1.0 SUPEE-6788-1.8.1.0
Magento 1.7.0.2 SUPEE-6788-1.7.0.2

List of Files updated in SUPEE-6788 patch –

.htaccess
.htaccess.sample
app/code/core/Mage/Admin/Model/Block.php
app/code/core/Mage/Admin/Model/Resource/Block.php
app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
app/code/core/Mage/Admin/Model/Resource/Variable.php
app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
app/code/core/Mage/Admin/Model/Variable.php
app/code/core/Mage/Admin/etc/config.xml
app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php
app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form.php
app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php
app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php
app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php
app/code/core/Mage/Adminhtml/etc/adminhtml.xml
app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php
app/code/core/Mage/Core/Controller/Front/Action.php
app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
app/code/core/Mage/Core/Helper/UnserializeArray.php
app/code/core/Mage/Core/Model/Email/Template/Filter.php
app/code/core/Mage/Core/Model/Resource/Setup.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/etc/system.xml
app/code/core/Mage/Customer/Block/Account/Changeforgotten.php
app/code/core/Mage/Customer/Block/Account/Resetpassword.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Downloadable/Model/Product/Type.php
app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Mage/Sales/controllers/DownloadController.php
app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php
app/design/adminhtml/default/default/layout/admin.xml
app/design/frontend/base/default/layout/customer.xml
app/design/frontend/base/default/template/customer/form/register.phtml
app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml
app/design/frontend/base/default/template/persistent/customer/form/register.phtml
app/design/frontend/default/iphone/layout/customer.xml
app/design/frontend/default/modern/layout/customer.xml
app/design/frontend/rwd/default/layout/customer.xml
app/design/frontend/rwd/default/template/customer/form/resetforgottenpassword.phtml
app/design/frontend/rwd/default/template/persistent/customer/form/register.phtml
cron.php
dev/tests/functional/.htaccess
errors/processor.php
lib/Unserialize/Parser.php
lib/Unserialize/Reader/Arr.php
lib/Unserialize/Reader/ArrKey.php
lib/Unserialize/Reader/ArrValue.php
lib/Unserialize/Reader/Bool.php
lib/Unserialize/Reader/Dbl.php
lib/Unserialize/Reader/Int.php
lib/Unserialize/Reader/Str.php
lib/Varien/Data/Collection/Db.php
lib/Zend/Xml/Security.php

Once you apply clear your magento store cache to make sure these files are not longer in the cached version.

Post-installation Check –

With this security patch magento added a new option in System/Configuration. Its in System > Configuration > Admin > Security as a new option Secure Admin routing for extensions. This option is not applied by default after patch installation. In order to achieve maximum security benefit from this patch Admin routing compatibility mode should be Disabled.