2

I've applied the patches to both our dev site and our live site.

We're running on Enterprise Edition 1.12.0.X

so I've downloaded:

  • PATCH_SUPEE-5345_EE_1.12.0.2_V1-2015-02-10-04-17-49.sh
  • PATCH_SUPEE-1533_EE_1.12.x_v1-2014-10-03-04-00-32.sh.

I've also double checked to make sure that the patches were applied by going to app/etc and opened the applied.patches.list file in which it showed the patches are applied.

What has me concerned is that when I ran the test through the "Magento Shoplift Bug Tester" site, it states that my dev site is good but my live site is vulnerable???

The patches I've installed are identical and I didn't do anything different when it came to installing the patches to the live site.

I wanted to see if anyone else has or is experiencing this? Am I missing something??

Thanks!

zhartaunik
  • 3,848
  • 4
  • 23
  • 52
Ang
  • 95
  • 2
  • 10

3 Answers3

2

Read full answer here which i posted today

The alert message will be still visible in the admin until you mark as read.

Community
  • 1
Adeel Ishfaq
  • 650
  • 1
  • 6
  • 17
  • Thanks for your input but it's not quite what I was looking for. The messages in the admin are not what I'm concerned about, it's the results I've gotten from the test I ran to determine if my site is vulnerable or not, even though I did install the patches though. I do appreciate the input though! – Ang Apr 27 '15 at 14:24
1

In order for the patches to fully apply

  1. If you have the compiler enabled, recompile. The old vulnerable code will be trapped in the include system until this is done.
  2. Completely flush the cache so it reloads the refreshed code. A manual delete of the subfolders in var/cache/ wouldn't be remiss.
  3. If you're running an opcode cache, you will need to flush that as well.

You can have a fully patched site, diff the files to find they've changed and match what's reported in app/etc/applied.patches.list and still be vulnerable until it gets converted to live running code.

Fiasco Labs
  • 7,593
  • 4
  • 28
  • 48
  • Glad to be of help. Developing on Magento teaches you that there are so many caching nooks and crannies for code to get stuck in, that it's often a dungeon crawl just to get a change to show. From browser cache to the lowest level of Magento "caching" which is the compiler (for people to argue this one isn't, think what caches do, store stuff), it's why developers run as uncached as possible so they can see immediate changes for all that hard effort. Runs slower, display of changes shows quicker. – Fiasco Labs Apr 28 '15 at 15:11
  • Yes I've found that to be very tricky at times which I may have been presented to another issue that has occurred that I just posted. After I processed what you've mentioned, now customers can not place orders because of the continue button wouldn't work on the payment page. Here's the link of the post: http://magento.stackexchange.com/questions/65080/continue-button-on-payment-information-page-is-not-working I feel like I'm going crazy sometimes with Magento, thanks again for the help! – Ang Apr 28 '15 at 17:28
0

This is what someone from Magento told me

I apologize for the message showing in the admin panel. The message doesn't know how to tell if the patches have been installed, this is why you see the message in the admin panel. To test that you are all set, go to the following site and add your domain name: http://magento.com/security-patch

You can go to that link and see if your site is safe.

There's something different in applied.patches.list between your dev and live?

Natalie
  • 404
  • 2
  • 14