Magento Security Patch SUPEE – 8788: Installation and Challenges

There is a new security patch released by Magento, named as SUPEE-8788. Since this patch is of great importance in Magento development, it is not surprising to see merchants implementing it immediately by hiring SUPEE-8788 installation service.

The patch addresses are in the form of

• Zend framework accompanied with payment vulnerabilities
• Ensuring invalidated sessions once users logs out
• Security enhancements made at a later stage
• Ensure to test the development environment patch beforehand, so that you can prevent from customizations and extensions getting affected.

How to install the Magento Security Patch SUPEE-8788?

Before you plan for an installation, you need to check out the old patches, whether they have been installed correctly or not. The reason being, many patches depend on other patches. The best way to check whether right patches are installed on your site or not is by using something like MageReport.

The actual installation of patch

Having an SSH access means you are making things a lot simpler for patch installation. Before you start with the installation process, you need to disable the Magento compiler. You can do this by going to System > Configuration > Tools > Magento Compiler > Clear compiled cache.

How to apply or simply revert the patch?

You can apply this patch if the following conditions are met:

• SUPEE-8788 patch is not yet applied due to your Magento version being EE 1.14.1.0 or CE 1.9.1.0, or even earlier.
• Already applied SUPEE-8788 patch version 1.
• Want to switch from SUPEE-1533 patch to SUPEE-8788 patch.
• Upgrade from an earlier community or enterprise version of Magento.

Post installation after effects

Once there is a successful patch installation, you need to check things like landing pages are correctly loading or not, payment transaction taking place smoothly or not, shipping, and CMS panel. Additionally, this patch affects other things as well such as downloadable products, admin pages, file upload, CMS, page sessions, and more.

The various challenges involved

Running a PHP version 5.6 or older will restrict you from logging into Magento Admin. The reason being function hash_equals() that is the root cause. Additionally, you will also fail in installing the patch on app/code/core/Mage/Adminhtml/controllers/DashboardController.php, if another patch like SUPEE-1533 has already been applied. Other problems that users have faced are quoted below:

“There are no frontend templates involved” – is not correct for older Magento versions. For example the 1.7.0.2 patch changes 9 frontend/base/default template files. – Kristof at Fooman

For anyone having problems with the .swf updates of the patch, I simply removed lines 5951-9818 from the patch and manually removed the .swf files from /skin/adminhtml/default/default/media – since that’s all the patch was doing anyway. – Liam McArthur

I tried both patching and upgrading my Magento to 1.9.3,but magereport still shows that the patch supee8788 is not applied, and credit card hijack detected – Srinivas

For more such challenges, please contact our Magento developers.

Dipak Patil

October 26, 2016