Patching shoplift bug vulnerability
I recently was forwarded the following email regarding vulnerabilities to the Shoplift bug from DigitalOcean support:
I am emailing in regards to this vulnerability notice my supervisor received and forwarded to me (see below):
We have been notified by an external security researcher that your Droplet xxx.com may be hosting a Magento installation that is vulnerable to the “Shoplift” bug. This bug allows a hacker to take full control of your shop, and we want to provide instructions on how to patch this bug.
You can verify if your site is effected using this site: http://do.co/magentobugtester
If your site is vulnerable, it is critical for you to download and install 2 previously-released security patches. Here are the names of the patches:
SUPEE-5344 - Addresses a potential remote code execution exploit (Added Feb 9, 2015)
SUPEE-1533 - Addresses two potential remote code execution exploits (Added Oct 3, 2014)
Magento Enterprise Edition customers can download the required patches by navigating to the Downloads Tab and then by expanding “Magento Enterprise Edition > Support Patches” in the Magento Support Portal https://www.magentocommerce.com/products/downloads/.
If you are using the Open Source Community Edition, you can download the required patches by navigating to https://www.magentocommerce.com/products/downloads/magento/. The patches can be applied by running the downloaded scripts in the root directory of your Magento installation.
New Droplets based on the DigitalOcean Magento One-Click image have the latest patches installed. You can confirm if your One-Click Droplet already has the patches by checking for the existence of the file
More information about the issue can be found here: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
If you have any questions about how to patch your site please let us know and we’ll do our best to help guide you.
I ran through the suggested checks, and received a determination that our site has this vulnerability. I’ve downloaded the patches in question, but am concerned about how long this process might take, as I am a novice in website administration, especially on DigitalOcean. I don’t want to take our site down if possible. If that isn’t possible, I want to keep the downtime to an absolute minimum. Can someone please provide further guidance on this issue?
Thanks in advance,
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.