New patch supee-6788 how to apply patch

In general, you can apply the patch as all previous ones. Have a look at the official documentation and check this SE post. But yes, there are some additional points you should check when applying this patch. Byte/Hypernode has a nice post about it.

  1. Check if your theme has a custom template/customer/form/register.phtml or custom template/persistent/customer/form/register.phtml. If this is the case, make sure that it includes a form_key.
  2. Check if your theme has a custom layout/customer.xml. If this is the case, make sure to apply the necessary changes from the patch (customer_account_resetpassword has been changed to customer_account_changeforgotten).
  3. Do you use non-standard variables in CMS pages, static blocks or email templates? Then make sure that you whitelist them. See this SE question to learn how to whitelist variables/blocks.
  4. Do you run the cron.php via HTTP? Make sure that you better use cron.sh. If this is not possible, at least make sure that you call cron.php via CLI PHP. If for some reason you can not configure a real cronjob and need to run it via HTTP, see this SE question
  5. Make sure that all your extensions use the "new" admin routing. You can use this n98-magerun plugin to check. You can also use this CLI script. You can also have a look at this related SE question.
    1. When all your extensions use the proper admin routing, make sure to disable "Enable Admin routing compatibility mode" under System - Configuration - Admin - Security.
  6. If you use M2ePro, update it to the latest version since old versions do not work with the new patch.

When updating, make sure that you delete the file dev/tests/functional/.htaccess. It is not present any more in Magento 1.9.2.2. Keeping it means you are still vulnerable.

In any case, check your page with MageReport after updating to see if everything went well.

There is also a technical blog post by Piotr, which describes the critical changes.


There is a check file which helps you to identify issues: https://github.com/gaiterjones/magento-appsec-file-check

I made a CLI script out of it. https://github.com/Schrank/magento-appsec-file-check


For Nginx, make sure you block access to cron.php and the dev folder. We use this block:

location ~ ^/(app|includes|media/downloadable|pkginfo|report/config.xml|var|magmi|cron.php|dev)/? { deny all; }