There have been a series of Security issues recently. The major systems that power the web Magento and WordPress have had critical vulnerabilities (wordpress) (magento). I won’t go into the details of both, but the important part is that you need to patch your systems.
In particular Magento had 3 patches that need to be added to your system. One covers the shoplift vulnerability and the others are necessary to keep a secure site. You can obtain the patches here under the Patches section.
SUPEE-5994 – PEAR ERROR
I ran into an issue with the SUPEE-5994 Patch when installing on both a 1.9 and 1.7 system. I wanted to share for those who may have the same challenges. Here is the error I received.
ERROR: Patch can't be applied/reverted successfully.
can't find file to patch at input line 347
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
|diff --git lib/PEAR/PEAR/PEAR.php lib/PEAR/PEAR/PEAR.php
|index b4633bf..e6f8edc 100644
Research Magento 5994 PEAR Error
After a bit of research I found that the issue was related to the PEAR folder not being present on all of the sites having issues. I have not looked at why some of the Magento installs don’t have this folder /lib/PEAR, I will have to investigate a bit more. Image of files missing from <rootfolder>/lib
To solve this error I was able to download the source for Magento , extract the files needed, upload to the server, and run the patch. Here are the steps.
Download source from Magento.com, and select your version. If you don’t know what version of magento you are running, it can be found at the bottom of the Admin page.
Extract the source code or just the /lib/PEAR folder structure, and move this folder and these files to your site. I prefer to use FTP to make sure the proper folder owner and permissions are maintained. If you are using SSH remember to chown the files properly as that site’s owner.
Run the SUPEE-5994 patch
I tend to upload the patches to the sever and then mark them with the 755 permission to allow for all users to have access to the patch. To run the patch execute this command
If the patch runs successfully you will see this output. “Patch was applied/reverted successfully”
Last step I do is to validate that the patches are applied. You can do this by checking a file on your site called /app/etc/applied.patches.list
This is the output of that file. Showing the patches installed (1533, 5344, 3941, and 5994)
After this you should be all set.
Because of the severity of the vulnerability in Magento there is a great external test you can also use. The Magento.com site has created a link to a test by the team (Byte)
The ShipLift bug is a very critical issue for Magento sites. You can see from the graph at Byte.nl that there are still over 69k sites still not patched at this time of writing.
Take a few minutes, backup your site and run the patches. I realize that Magento patches are not as easy as the WordPress upgrade / update process, but in reality they are not that hard. Just patch and test so you are not one of the 69k sites that are prone to attack and vulnerability.