How to apply Magento patch SUPEE-1533 and SUPEE-5344 without SSH

We all know by now that around 30% Ecommerce portals globally are now using Magento framework. This increased number shows the potential this framework carries. But the same strongest platform recently announced a major security patch a serious vulnerability “SUPEE-5344 and SUPEE-1533” code named as Shoplift. We have been posting about the bug since the day it was discovered in our posts “Shoplift bug :: Is your Magento shop vulnerable to it(SUPEE-5344)?” , “Have you patched your Magento for shoplift?” & “Magento Shoplift Security Update, haven’t done yet?” .

Why so Serious?

The heading reminds of a Batman movie :). Well, this particular vulnerability was detected by Netanel Rubin who said that it allowed hackers to access the store admin rights which can help them be the store admin. Every aspect of store admin user role can be accessed thought this hole. The data that hacker take from the store can be used any way they want which was the end for a store.

How do I Fix it?

We have posted one solution which was based on SSH based Patch update in our post the day it first surfaced. The method needed technical expertise and server root level access. This method required developers assistance and precise implementation else could result to bigger trouble.

Today, we are sharing with you all an easy way to do it. The FTP way which almost all the developers will love to use. The reason for sharing this method is to help  the community overall to update their store quickly and be safe from the possible security threat.

How to apply Magento patch SUPEE-1533 and SUPEE-5344 with FTP?

We applied the patch successfully on some 40+ store successfully. Out of curiosity, we checked and found that the patches SUPEE 1533 and SUPEE 5344 when applied, mainly affected following 7 files of magento core system collectively.

Changes affecting after patch SUPEE 1533:

• app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
• app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Changes affecting after patch SUPEE 5344:

• app/code/core/Mage/Admin/Model/Observer.php
• app/code/core/Mage/Core/Controller/Request/Http.php
• app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
• app/code/core/Mage/XmlConnect/Model/Observer.php
• lib/Varien/Db/Adapter/Pdo/Mysql.php

We then tried to create a solution so that someone without a SSH access(which is very common these days due to website being mostly on shared servers) can also update the Magento store for the patch.

The steps to follow are as follow :

– Backup your Magento Store
– Download the zip files for the patch SUPEE-1533 and SUPEE-5344
– Unzip both the downloaded files and upload it to your magento root directory
– And, you are done. Congrats the Urgent critical security patch is applied.

Did it really happen?

We understand that after all the terror floating around, you will want to be extra sure that the above mentioned steps worked for your store or not. Well you can check if your Magento store is patched or not by going to this link and putting your Magento store URL on https://shoplift.byte.nl/ or http://magento.com/security-patch

The second way to check is by going to these locations mentioned above and see if the files are changed or not.

If still it says, the store is not safe, contact us and we will ensure to help you fix it. We have a list of happy customers already.

Purchase our Service to get your Magento Store secured now.