Applied Patches but still getting a vulnerable message?

magento.stackexchange https://magento.stackexchange.com//questions/64930

Question

I've applied the patches to both our dev site and our live site.

We're running on Enterprise Edition 1.12.0.X

so I've downloaded:

  • PATCH_SUPEE-5345_EE_1.12.0.2_V1-2015-02-10-04-17-49.sh
  • PATCH_SUPEE-1533_EE_1.12.x_v1-2014-10-03-04-00-32.sh.

I've also double checked to make sure that the patches were applied by going to app/etc and opened the applied.patches.list file in which it showed the patches are applied.

What has me concerned is that when I ran the test through the "Magento Shoplift Bug Tester" site, it states that my dev site is good but my live site is vulnerable???

The patches I've installed are identical and I didn't do anything different when it came to installing the patches to the live site.

I wanted to see if anyone else has or is experiencing this? Am I missing something??

Thanks!

Was it helpful?

Solution

In order for the patches to fully apply

  1. If you have the compiler enabled, recompile. The old vulnerable code will be trapped in the include system until this is done.
  2. Completely flush the cache so it reloads the refreshed code. A manual delete of the subfolders in var/cache/ wouldn't be remiss.
  3. If you're running an opcode cache, you will need to flush that as well.

You can have a fully patched site, diff the files to find they've changed and match what's reported in app/etc/applied.patches.list and still be vulnerable until it gets converted to live running code.

OTHER TIPS

Read full answer here which i posted today

The alert message will be still visible in the admin until you mark as read.

This is what someone from Magento told me

I apologize for the message showing in the admin panel. The message doesn't know how to tell if the patches have been installed, this is why you see the message in the admin panel. To test that you are all set, go to the following site and add your domain name: http://magento.com/security-patch

You can go to that link and see if your site is safe.

There's something different in applied.patches.list between your dev and live?

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top