How to Successfully Apply the Magento Patch SUPEE-6788

On October 27, 2015, Magento released the patch SUPEE-6788 that resolves several security-related issues, including remote code execution exploits and information leak vulnerabilities. The vulnerabilities were identified through Magento's comprehensive security program. Due to the severity of these vulnerabilties all Magento store owners are urged to patch their site as soon as possible. Magento also released new versions of Magento Community Edition and Magento Enterprise Edition which includes patch SUPEE-6788.

How do I know if my store is vulnerable?

All versions prior to Magento CE 1.9.2.2 and EE 1.14.2.2 are vulnerable. You can scan your Magento site for security issues on magereport.com.

How to apply the patch

  • Download SUPEE-6788 patch for the particular version of Magento you are using. Upload it to your store root directory (e.g. public_html).
  • Log in to your account using SSH (contact us for access) and navigate to the Magento installation directory:
    cd <path_to_magento>
  • Now apply the patch by typing the following command:
    sh patch-file-name.sh (replace with the exact name of the patch for your Magento version)
  • You should see the following message if the patch was applied successfully:
    Patch was applied/reverted successfully.

What if the patch could not be applied?

Some users have reported that they get an error message similar to the following when trying to apply the patch.

checking file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED

This error occurs if the main .htaccess file has been modified from the stock Magento .htaccess. The patch just crashes unexpectedly with no further explanation - not a very graceful way to handle such a common situation.

The solution is to simply revert the .htaccess (and .htaccess.sample) to the stock versions from the installation package for your Magento version. You should then be able to apply the patch. Make sure to backup your customized .htaccess file first so you can restore it after the patch has been applied.

The particular changes that SUPEE-6788 makes to the .htaccess is included below. It is recommended that you add this to your customized .htaccess once the patch has been applied.

<Files cron.php>

############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.

        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user

############################################

        Order allow,deny
        Deny from all
</Files>