Undefined index: form_key in ... downloader/Maged/Model/Session.php on line 252
Form key validation in Magento Connect has been added in SUPEE-6285. The form key input has been added to the following templates in /downloader
:
- downloader/template/connect/packages.phtml
- downloader/template/connect/packages_prepare.phtml
- downloader/template/login.phtml
- downloader/template/settings.phtml
Since you obviously get requests to the downloader without form key, I see the following possible reasons:
- you did not patch one of the above files. This is unlikely because if the patch script cannot patch one file, the whole patch fails
- you have added a custom form pointing to the downloader somewhere
- somebody tries to attack your shop (for example with brute force login) but the form key prevents it
If it is (1) or (2) should be easy to find out because you should know about unpatched files or additional templates.
If not, check your server's access log at the times where this error comes to see what kind of request it is and from which IP it comes. Also look for other malicious requests around it.
And since it is possible that you already got hacked before the patch was applied, examine your installation carefully for:
- unknown admin accounts
- added extensions
- added PHP files (especially hidden in non-source folders like
/media
and/var
)
See also:
- Magento hacked even after applied patch
- How can I tell if a corrupt image file is being used for credit card skimming?