Recently released announce regarding Magento vulnerability disclosed by CheckPoint urges Magento patches SUPEE-1533 and SUPEE-5344 installation. The patches are available for download at MagentoCommerce site:
https://www.magentocommerce.com/products/downloads/magento/

To test if your store is vulnerable use ourScan your store button in sidebar.

The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown inHow to apply SUPEE-5344 and SUPEE-1533 via SSH.

It is still possible to apply these patches even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Applying Magento patches via FTP/sFTP or FileManager

To apply patches via FTP we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.

Patch SUPEE-1533 (Magento 1.7.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Adminhtml/Block/Dashboard/Graph.php
  • app/code/core/Mage/Adminhtml/controllers/DashboardController.php

Patched version of files for Magento 1.7.0.0-1.9.1.0 (including 1.7.0.2, 1.8.1.0 and 1.9.1.0 versions) packed into single ZIP archive: SUPEE-1533.zip. Simply unpack it and replace files on your store by uploading app folder into yourMagento root directory.

Patch SUPEE-5344 (Magento 1.8.x.x-1.9.1.0) applied to the following files:

  • app/code/core/Mage/Admin/Model/Observer.php
  • app/code/core/Mage/Core/Controller/Request/Http.php
  • app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
  • app/code/core/Mage/XmlConnect/Model/Observer.php
  • lib/Varien/Db/Adapter/Pdo/Mysql.php

Patched version of these files for Magento 1.8.x.x-1.9.1.0 packed into single ZIP archive: SUPEE-5344. Simply unpack it and replace files on your store by uploading app/ and lib/ folders into your Magento root.

 

Patches for other versions (1.7.0.2 and earlier)

Older versions are patched in the same way, I have combined downloads for all versions into a single table. The last column contains combined version of both patches to upload both patches at once.

Magento version SUPEE-5344 SUPEE-1533 COMBINED (both patches at once)
Magento 1.8.0.0-1.9.1.0 SUPEE-5344 SUPEE-1533 SUPEE-1533-5344
Magento 1.7.0.0-1.7.0.2 SUPEE-5344-1.7 SUPEE-1533 SUPEE-1533-5344-1.7
Magento 1.6.1.0-1.6.2.0 SUPEE-5344-1.6 SUPEE-5344-1.6 SUPEE-1533-5344-1.6.1
Magento 1.6.0.0
not prepared (due to low volume)
use official .sh patch file or upgrade to nearest 1.6.2.0
Magento 1.5.1.0 SUPEE-5344-1.5.1 SUPEE-1533-1.5.1 SUPEE-1533-5344-1.5.1
Magento 1.4.0.0-1.5.0.1
not prepared (due to high customization rate and overrides possibility)
use official .sh patch file
Magento 1.3
not prepared (due to high customization rate and overrides possibility)
use patch from here.

Simply unpack the archive and replace files on your store by uploading app/ and lib/ folders into your Magento root directory.

If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Verification

Verify that your store have green SAFE status at
http://magento.com/security-patch.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento admin by admin path change.

Done.

Applying Magento patches via PHP

Upload one of PHP shells to your Magento root subfolder. Sample PHP shells are PHP Shell and phpFileManager. Just upload one of shells to your Magento site, open the shell in browser and run Magento patches in the shell provided just like via SSH.

 

Applying patches manually (by merging patches with your changes in core files)

Use this way only if you or your developers have changed core Magento files that need to be patched. Apply the changes from the diffs below line by line editing all files. Lines prefixed with a “+” (plus sign) should be added, lines prefixed with “-” (minus sign) should be removed, “@@” characters indicate position (line number and column).

Complete DIFF for SUPEE-1533 (Magento 1.7.0.0-1.9.1.0):

 

Complete DIFF for SUPEE-5344 (Magento 1.8.0.0-1.9.1.0):