Patching shoplift bug vulnerability

May 1, 2015 807 views
Security DigitalOcean Ubuntu


I recently was forwarded the following email regarding vulnerabilities to the Shoplift bug from DigitalOcean support:

I am emailing in regards to this vulnerability notice my supervisor received and forwarded to me (see below):

Hey there,

We have been notified by an external security researcher that your Droplet may be hosting a Magento installation that is vulnerable to the "Shoplift" bug. This bug allows a hacker to take full control of your shop, and we want to provide instructions on how to patch this bug.

You can verify if your site is effected using this site:

If your site is vulnerable, it is critical for you to download and install 2 previously-released security patches. Here are the names of the patches:

SUPEE-5344 - Addresses a potential remote code execution exploit (Added Feb 9, 2015)
SUPEE-1533 - Addresses two potential remote code execution exploits (Added Oct 3, 2014)

Magento Enterprise Edition customers can download the required patches by navigating to the Downloads Tab and then by expanding "Magento Enterprise Edition > Support Patches" in the Magento Support Portal

If you are using the Open Source Community Edition, you can download the required patches by navigating to The patches can be applied by running the downloaded scripts in the root directory of your Magento installation.

New Droplets based on the DigitalOcean Magento One-Click image have the latest patches installed. You can confirm if your One-Click Droplet already has the patches by checking for the existence of the file /var/www/html/magento/app/etc/applied.patches.list

More information about the issue can be found here:

If you have any questions about how to patch your site please let us know and we'll do our best to help guide you.

DigitalOcean Support

I ran through the suggested checks, and received a determination that our site has this vulnerability. I’ve downloaded the patches in question, but am concerned about how long this process might take, as I am a novice in website administration, especially on DigitalOcean. I don’t want to take our site down if possible. If that isn’t possible, I want to keep the downtime to an absolute minimum. Can someone please provide further guidance on this issue?

Thanks in advance,

2 Answers

Installing the patch should cause little if any downtime as it simply needs to update the affected files.

Thanks for your response, ryanpq. That's reassuring to know. Nothing in the documentation indicated anything about restarting the Droplet afterward. However, should I do it anyway?

Have another answer? Share your knowledge.