WebCitz Blog


Magento Security Updates

Magento is releasing new updates to increase product security and functionality. The releases contain over 15 security enhancements and Magento 2.x updates that also address image resizing and MasterCard BIN number expansion. We strongly recommend that merchants upgrade to these versions as soon as possible.

Multiple Critical Security Enhancements
These releases include multiple critical security enhancements. The updates also help close access control bypass, CSRF, and authenticated Admin user remote code execution vulnerabilities.

MasterCard recently added a new series of Bank Identification Numbers (BIN). While certain Magento versions already support the new BINs, merchants using the following versions must upgrade or apply a patch by June 30, 2017 or face potential fines from MasterCard and lost sales.

The following versions are:

  • Magento EE 2.1.2 or earlier
  • Magento EE 2.0x releases
  • Magento EE 1.14.2.x releases or earlier
  • Magento CE 1.9.2.x releases or earlier

Image Resizing Changes
Also, certain image resizing changes introduced unanticipated problems. Magento has reverted these changes in this release, and will provide improvements to image resizing in a future product update. These changes to image resizing were introduced in Magento 2.1.6. You can also see additional information you may need when upgrading from Magento 2.1.6 or 2.1.5 on Magento 2.1.7 EE Release notes. Otherwise, we can help help upgrade your Magento website.

The latest versions of Magento CE and EE are as follows:

  • Magento CE 2.1.7
  • Magento EE 2.1.7
  • Magento CE 2.0.14
  • Magento EE 2.0.14
  • Magento CE 1.9.3.3
  • Magento EE 1.14.3.3

Magento’s Browse Image and Upload Files Button Missing

If you are a Google Chrome user and noticed the Browse Files and Upload Files buttons are missing when attempting to upload images to your products then we may have a solution for you! In recent changes to Google Chrome, Flash-based content has to be manually authorized in the Content settings of Google Chrome. Newer Magento versions do not have this issue as the Flash uploader was replaced with an updated system, but if you are still on an older Magento version this might be helpful to you.

  • In Google Chrome, visit this URL: chrome://settings/content
  • That should take you to the settings area and show you a popup window of “Content” settings.
  • Scroll down to the “Flash” section and click “Manage exceptions…”
  • Scroll down to the bottom where there is an empty input box and type in “https://[*.]www.domainname.com:443” without the quotes.

Note: The above URL assumes you utilize HTTPS and the www subdomain. Please adjust accordingly. If you don’t use HTTPS then change the 443 port to 80, in addition to removing the “S” on HTTPS.


Upgrade to Magento 1.9.3.2 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.3.2. which was released on Feb 7, 2017. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788, SUPEE-9652.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.3.2 from https://www.magentocommerce.com/download (click Release Archive tab)
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.3.2.tar.gz
    or
    unzip magento-1.9.3.2.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.3.2 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *

Magento 2.1.3 Released

Magento Community Editions 2.1.3 and 2.0.11 are now available on Magento’s website. This update features new payment functionality, accelerated performance, and enhanced product quality.

  • Streamlined checkouts with saved PayPal accounts
  • Lower chargebacks with the ability to customize credit card statement descriptions
  • Faster Admin performance when managing configurable products with many variations
  • Optimized compilation and static asset creation for better performance
  • And much more

Upgrade to Magento 1.9.3.1 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.3.1. which was released on Nov 14, 2016. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788. The main difference between 1.9.3 and 1.9.3.1 is that a few bug fixes were put in place with the recent addition of the SUPEE-8788 patch applied to version 1.9.3.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.3.1 from https://www.magentocommerce.com/download
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.3.1.tar.gz
    or
    unzip magento-1.9.3.1.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.3.1 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *

Upgrade to Magento 1.9.3 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.3. which was released on Oct 11, 2016. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.3 from https://www.magentocommerce.com/download
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.3.tar.gz
    or
    unzip magento-1.9.3.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.3 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *

Magento Block Permissions

We have had several customers who recently upgraded their websites to the latest Magento CE version report broken or missing areas within their websites. These issues, when sparked by a recent upgrade, are typically related to a new security feature called block permissions. If you have logging enabled you should be able to see something like the following in the system.log file.

Security problem: something/something has not been whitelisted

The simple fix is to allow that block in System > Permissions > Block Permissions from the Magento admin area. You can see in the image below that catalog/product_list_random on a customer’s installation was added to the whitelist.

Magento Block Permissions


Upgrade to Magento 1.9.2.4 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.2.4. which was released on Feb 23, 2016. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405 and SUPEE-7405 v1.1.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.2.4 from https://www.magentocommerce.com/download
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.2.4.tar.gz
    or
    unzip magento-1.9.2.4.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.2.4 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *

Upgrade to Magento 1.9.2.3 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.2.3. which was released on Jan 20, 2016. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.2.3 from https://www.magentocommerce.com/download
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.2.3.tar.gz
    or
    unzip magento-1.9.2.3.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.2.3 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *

Upgrade to Magento 1.9.2.2 via SSH

This Magento upgrade tutorial will help guide you through the process of updating / upgrading your Magento installation from 1.4+ to 1.9.2.2. which was released on Oct 27, 2015. For the purpose of this tutorial, we will assume you have access to SSH on your hosting account. You should always create a backup of your entire website/database before proceeding with an upgrade and never perform these steps on a live store. Please be sure to obtain updated files from the authors of any Magento extensions you have installed on your website.

NOTE: This update includes SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788.

  1. Change to your Magento installation directory:
    (swap “username” below for your account’s username, or change the entire path to match your absolute URL)

    cd /home/username/public_html
  2. Download Magento 1.9.2.2 from https://www.magentocommerce.com/download
    You can select tar.gz or zip for an archive format.
  3. Upload the archive to the base folder of your Magento installation
  4. Extract the archive:
    tar -zxvf magento-1.9.2.2.tar.gz
    or
    unzip magento-1.9.2.2.zip
  5. Change to the directory created during extraction:
    cd magento
  6. Turn off file replacement prompts:
    unalias cp
  7. Copy the Magento 1.9.2.2 files over your existing files:
    cp -rf * ../
  8. Change back to your Magento installation directory:
    cd ..
  9. Remove the empty folder
    rm -rf magento
  10. Optional: CHMOD all files to 644:
    find -type f -name ‘*.*’ -exec chmod 644 {} \;
    Optional: CHMOD all folders to 755:
    find -type d -exec chmod 755 {} \;
    Optional: CHOWN all files/folders:
    chown -R username:username *