The testing links in this post will only test site vulnerability against the shoplift bug.
Many business owners have logged into their admin panels recently and have been confronted by this notification;
This notification alone has sent many business owners and operators into quite a panic, and rightly so it would seem. Back in January, a security company called Check Point found a high critical security flaw in all Magento sites. The “Magento Shoplift Bug” allows an attacker to take complete command of a Magento store and its server. So just to reiterate, this is pretty critical.
Luckily, there is a site you can visit to check whether or not your site is vulnerable to the “shoplift” threat or not. Just visit https://shoplift.byte.nl/ and enter your domain name. If you are vulnerable, the image returned will look like this…
Well, as the message within your admin panel states, you need to go to the Magento downloads page and download the security patches that relate to your version of Magento (you can see this by logging in and looking at the bottom of the admin panel).
For your convenience, this is the link to the page (Magento will require you to log in to download the patches: https://www.magentocommerce.com/products/downloads/magento/
So far so good, you have grabbed the Magento security patch (or patches) you require and now you have to install them, and this is where it all seems to get a little bit complicated, as Magento instruct you that you should use SSH to install these files.
Whilst this information is correct, and in an ideal world we would all have SSH access and all have PuTTY installed on our computers to link into our servers and run these patches in this manner, the reality is we don’t all have that luxury and most people only have FTP access to their server.
So lets now jump straight into how you can install those security patches to fix the Magento Shoplift Bug threat using ftp access only.
I’m going to assume by now that you have downloaded the necessary patch files as stated above and that you have knowledge of FTP. Lets get cracking…
- SO, first things first.. BACK UP EVERYTHING, DIRECTORIES, DATABASE, EVERYTHING. As you can tell, I really cant stress this enough.
- Now, open your ftp program and connect to your server, navigating to your root directory (where your Magento installation is located), and upload the patch files.
- Next, we are going to create a new file. Lets call it applypatch.php
- Within that file, we are going to place the following code;
You will notice in the above code the section in which you need to place the entire file name including the .sh extension on the end. It is imperative that this is correct otherwise no patch can be implemented.
- Once you have saved your applypatch.php file, upload this to your root directory
- Open a new tab and navigate to your website, adding the applypatch.php file on the end, for example http://www.mydomainname.co.uk/applypatch.php
Once the script executes, you should see this response (or similar);
Once you have completed this for the first patch. you can then amend the applypatch.php file and change the filename to any other patch filename you have uploaded, save the file and re-upload to your server using ftp (overwriting the original copy), and run the file again. Personally, I did this for each individual patch just in case one particular file caused any issues.
Once you have completed this for each patch, then jump back too https://shoplift.byte.nl and run the test again. If everything has gone to plan, you should now see a screen that says you’re looking safe 🙂
That’s it, hope it helps you to install your Magento security patch using FTP.
Would you like us to do this for you?
You can book Digital Crate to handle this for you if you wish. Simply fill in the details below and we will contact you to gain the details we require to install the security patches.
Our charge for this service would be from £50 per site.