Magento Version 1.1.4 Security Update

Magento Version 1.1.4 is now available. This version includes two security updates for Magento 1.1.x and is available through SVN, Download Page and through the Magento Connect Manager.

If you are using Magento Version 1.1.x we highly recommend upgrading as soon as possible to Magento 1.1.4. If you are using the Magento Connect Manager to upgrade, you should only upgrade Mage_All_Latest package. This package will upgrade all the needed packages.

Note: We do not recommend upgrading Magento directly on a production environment.

The Magento version 1.1.5 release is scheduled for later this month. Version 1.1.5 will include many bug fixes for Magento 1.1.x. We will announce the final date of release as it becomes current. 

RSS comments feed for this entry

User Comments

  1. Aleksander Andrijenko

    1Aleksander Andrijenko |posted September 2 2008

    Thanks for Update!

  2. Flicker

    2Flicker |posted September 2 2008

    Thanks wink

  3. Kerry Hatcher

    3Kerry Hatcher from Macon, GA|posted September 2 2008

    Could you include a list of fixes (i.e. bug tracker numbers)? I really appreciate your quick releases but a link to a details page would be really helpful.


  4. Rinso

    4Rinso from Netherlands, The|posted September 2 2008

    Thanks Magento Team, Varien and Community for this update!

  5. Unic

    5Unic from Zürich, Switzerland|posted September 2 2008

    Which have been the security issues?

  6. RoyRubin

    6RoyRubin from Los Angeles, CA|posted September 2 2008

    For security reasons, we do not intend to publicly outline the issues that have been addressed in this critical release.

  7. Dustin

    7Dustin from Columbus, OH|posted September 2 2008

    I think it is great that you will not be disclosing what was fixed in critical releases. It is good security to all of us who use Magento.

  8. Yaeger4

    8Yaeger4 |posted September 2 2008

    I second that… keep it a secret…

  9. i960

    9i960 from Bakersfield, CA|posted September 2 2008

    It’s really not hard to figure out what was changed. It’s nice to see you guys take security seriously though.  Much appreciated.  cool smile

  10. notzippy

    10notzippy |posted September 2 2008

    I am assuming I do not have to update my customized templates for this to take affect ? Is that correct ?

  11. YoavKutner

    11YoavKutner |posted September 2 2008

    @notzippy - templates should not be affected if you are upgrading from 1.1.3 to 1.1.4.



  12. shopnz

    12shopnz |posted September 2 2008

    Thanks Yoav, upgrade went great and template was not changed

  13. WebAddict

    13WebAddict from Chandler, AZ|posted September 2 2008

    How do you recommend to upgrade if you do not recommend upgrading Magento directly on a production environment?

  14. BenderDSP

    14BenderDSP from Slatersville, Rhode Island|posted September 2 2008

    Awesome!  I love knowing security is such a priority with software like this! smile


  15. gamelodge

    15gamelodge from Brisbane, Qld, Australia|posted September 2 2008

    Note: We do not recommend upgrading Magento directly on a production environment.

    Does this mean I should not upgrade my production version? - ? - help?

  16. BenderDSP

    16BenderDSP from Slatersville, Rhode Island|posted September 3 2008

    Copy your current installation, update it manually, or run magento connect.  If the update is a success make sure that everything checks out ok and then migrate it to your production installation or just upgrade the production installation itself. smile

  17. riddle930

    17riddle930 |posted September 3 2008

    mmm… ok.. for someone who’s had some very bad experiences so far with magento connect, could someone please tell me how i would go about updating from 1.1.3 to 1.1.4 using the manager.. and more precisely, where to get the key from!?

  18. mjohnsonperl

    18mjohnsonperl from Carthage, MO|posted September 3 2008

    the key can be found by doing a search for “magento ugprade” on the Magento website, then going to the wiki article describing different methods of upgrading.

    The key is magento-core/Mage_All_Latest to upgrade from Magento connect.

  19. JLHC

    19JLHC from Tampa, FL|posted September 3 2008

    Glad that an upgrade to patch the security issues is available. Great job and kudos to the Magento Team! wink

  20. rack::SPEED

    20rack::SPEED |posted September 3 2008

    Successfully tested in production environment. Thank you!

  21. Vee

    21Vee from Western Australia|posted September 3 2008

    I have to ask, what is the value of having a system like Magento Connect if it’s not recommended to use in a production environment?

    Is there a changed files archive available instead?


    22CENOBITE |posted September 3 2008

    Upgrade went smoothly, no problems encountered so far.

  23. redpen

    23redpen |posted September 3 2008

    Update went smoothly for me too, thanks for the prompt response.

  24. Sensi

    24Sensi from Paris, France|posted September 3 2008

    Ty to our beloved devs! wink

  25. Web_Addict

    25Web_Addict from Paris, France|posted September 3 2008

    updated with success ... nice job !

  26. MichalL

    26MichalL from Kraków|posted September 3 2008

    I used magento-core/Mage_All_Latest and got following errors… :(

    magento-core/Mage_All_Latest requires package “magento-core/Mage_Core_Modules” (version >= 1.1.4, version <= 1.2, excluded versions: 1.2), installed version is 1.1.3
    magento-core/Mage_All_Latest requires package “magento-core/Mage_Core_Adminhtml” (version >= 1.1.4, version <= 1.2, excluded versions: 1.2), installed version is 1.1.3
    Install Errors
    No valid packages found

    But I can still update separate packages (Mage_Core_Modules, Mage_Core_Adminhtml).

  27. Steven Berg

    27Steven Berg |posted September 3 2008

    "For security reasons, we do not intend to publicly outline the issues that have been addressed in this critical release.”

    “I second that… keep it a secret… “

    It’s not a secret. Anybody can review the changelog, svn log, do a diff on the old and new versions to see what’s changed, etc. Not putting the information in the announcement is useless obfuscation.

  28. Gui

    28Gui |posted September 3 2008

    Update those packages first and then install the key.  Next time you will only have to update that key.

  29. pluc

    29pluc |posted September 3 2008

    While I do agree that Security by Obscurity is the best security, some of us have customized Magento’s core and need to know what changed. I personally won’t upgrade any of my sites to 1.1.4 until I hear what has changed. I won’t waste time making a diff of the core.

  30. obione

    30obione from France|posted September 3 2008

    update with success too.

  31. Kerry Hatcher

    31Kerry Hatcher from Macon, GA|posted September 3 2008

    Got this non-descript error. Now my menus don’t work. I do have a heavily customized frontend but no changes to the core.

  32. Lee Saferite

    32Lee Saferite from Lake City, FL|posted September 3 2008

    Well, the fact that Varien is mum on the security update worries me.  I did a diff and it looks like they have an exploit allowing record deletion from non-admin areas.  But, the diff isn’t the whole story of course.  They just slapped a band-aid on a problem without telling us WHAT the problem is.  I’m concerned that my modules may be vulnerable now, but have no idea where the attack is coming from.

    Check the new method they added in Mage_Core_Model_Abstract called _protectFromNonAdmin().  They went back and added a call to this in a significant number of their model objects.  For example, look at Mage_Sales_Model_Order::_beforeDelete()

    And security through obscurity is not really security.

  33. Eric Bartels

    33Eric Bartels from Near cologne|posted September 3 2008

    @Lee Saferite
    I made the same observations and I’m coming to the same conclusion ...

    I’m really disappointed by the way this issue is handled! Information is a must in this case!

  34. redpen

    34redpen |posted September 3 2008

    @Lee Saferite
    Surely if they’ve fixed the security issue they could tell us what it was, right?

  35. Lee Saferite

    35Lee Saferite from Lake City, FL|posted September 3 2008


    Yes and No.  Yes because the ‘fixed’ it but no because how many people are still out there with vulnerable systems.  My issue is with the finality of the ‘no’ they gave about what the problem was and not making suggestion for securing our code.

    I need more coffee, this has really gotten me pissed off this morning.

  36. redpen

    36redpen |posted September 3 2008

    @Lee Saferite

    Good point, fair enough.

  37. Dustin

    37Dustin from Columbus, OH|posted September 3 2008

    @redpen, @Eric Bartels, @Lee Saferite

    Just because they fixed the security issue on their end does not mean that everyone running magento is now protected. If they posted what it was in this original announcement do you know how many sites would be open for exploit? All sites featured on the blog, any site address that has been given in the forum and some creative searches on google can return quite a few stores as well.

  38. BenderDSP

    38BenderDSP from Slatersville, Rhode Island|posted September 3 2008

    It’d be nice to be in the know, but for the sake of the other stores that are still running versions with the exploit, well we’re just going to have to sit with it. smile

  39. Lee Saferite

    39Lee Saferite from Lake City, FL|posted September 3 2008


    Issuing a critical security fix and not even mentioning ANYTHING about what was fixed is dumb.  You can tell what was fixed without telling how to exploit it.  So, should I feel safe now that my magento install is 1.1.4?  What about my local code, is it vulnerable?  Maybe we should all just submit our code to varien so they can address the issue for us.  I mean, who cares what the problem is, as long as you don’t know what it is, it cannot hurt you, right?

    Now, this could easily be a problem only in the Mage core and not affecting the entire system (local code included), but we don’t really know, do we?


  40. WhoIsGregg

    40WhoIsGregg from Tampa, Florida|posted September 3 2008

    First, thank you for putting out such a great piece of software. I “discovered” Magento for the first time yesterday and am certain it is going to be very helpful for an upcoming project. When I signed into my admin screen and saw the security update I was looking forward to seeing how these issues are handled. The update process was brilliantly simple but I’d prefer to see basic details disclosed about the vulnerability.

    > For security reasons, we do not intend to publicly outline the issues that have been addressed in this critical release.

    I disagree with security through obscurity, especially for an open source project where, by definition, anyone can see all the source code. Open source projects benefit from peer review. Basic details of the security issue allow friendly contributors to help locate other similar issues that may still exist in the project.

    As previously mentioned, it’s trivial for anyone (friend, foe, frenemy, or froe) to go into the subversion repository and compare revisions to determine the issue. For example, a diff on recently updated files makes it look like there was a function added during delete operations.

    I don’t know if that has anything to do with this security update, but if I was an enemy I would assume that it does. Then I’d either look for other places which do not have the new protection in place or look for security holes in the “fix.” Since I can see a pattern in what files were changed in this way, I would have a good idea where to look for similar files that might not have had the patch applied.

    Now, I just spent about an hour doing this research. If I could have skipped the “figure out what the security issue was in the first place,” that hour could have been used helping to make sure the security patch was applied everywhere it needed to be applied, or double checking that the patch would actually solve the problem, or doing some other fruitful work.

    Considering that I was “born yesterday” when it comes to Magento, obscurity didn’t accomplish much in the way of preventing me from determining what has changed. Thankfully I’m mostly harmless. smile

  41. WhoIsGregg

    41WhoIsGregg from Tampa, Florida|posted September 3 2008

    As I already stated, I’m a Magento newbie. But I actually think this patch was applied incorrectly to /app/code/core/Mage/Catalog/Model/Product.php.

    I assume that in situations where _protectFromNonAdmin() would halt the delete action that it should also halt _substractQtyFromQuotes() since that function appears to alter the database.

    The patch would be to move line 376 before lines 374-375.

    Again, I’m new to all this so I might completely misunderstand what’s going on in the _substractQtyFromQuotes() function. HTH…

  42. Lee Saferite

    42Lee Saferite from Lake City, FL|posted September 3 2008


    Haha.  I just submitted a patch for that about 3 minutes ago.  It looks like the worst an attacker could do is annoy you by removing items from shopping carts though.  Although I’m not sure the implications of the cleanCache() call yet.

  43. Lee Saferite

    43Lee Saferite from Lake City, FL|posted September 3 2008

    Of course, removing items from your customer’s shopping cart would impair your ability to sell things.

  44. Kerry Hatcher

    44Kerry Hatcher from Macon, GA|posted September 3 2008

    @WhoIsGregg @Lee Saferite

    I truly love the open source process smile

  45. WhoIsGregg

    45WhoIsGregg from Tampa, Florida|posted September 3 2008

    @Lee Saferite: I don’t know what cleanCache() does… If all it does it clear the cached data for the particular product being worked on then it probably wouldn’t be exploitable. If it clears a lot of cached data then an attacker could use that loophole to slow down a Magento site. Basically they would keep forcing a cache rebuild by hitting the delete call from a non-admin page. (Of course, we don’t know how they would do that, but we can deduce from this security update it’s possible somehow.) Not destructive per se, but slow page loads reduce conversions in online stores.

    @Kerry Hatcher: Imagine how much more we could accomplish if we weren’t all duplicating the effort of sorting out what’s going on with this security update in the first place. wink

  46. Lee Saferite

    46Lee Saferite from Lake City, FL|posted September 3 2008


    From looking at it, it seems like cleanCache() is localized to that product, but I’m not sure how much data is stored in that cache entry. 

    And yeah, I know they could do a DoS if it was a broad spectrum flush. wink

    I’m sitting here going over the code trying to find the possible exploit so I can explain it to my bosses, but no luck yet.  Great way to waste a morning that could have otherwise been productive.

  47. Kerry Hatcher

    47Kerry Hatcher from Macon, GA|posted September 3 2008

    @WholsGregg: I really wish I knew more about what happens during and update (ie what files get changed) I don’t even care what the changes are so much, just that if I made a customization, and my site doesn’t work, I at least know where to start. Right now I’m looking at reinstalling from scratch just because I really don’t feel like spending all day just trying to figure out what got over written.

    Interestingly if you check out the blog page you will see 2 items listed under security updates. The other one goes into detail about the issue and how to fix it.

    O well, looks like we will be pushing back our deployment another couple of weeks while we get this sorted out (and buying our support services from Varien, which we are not doing until we are ready to deploy wink

    @RoyRubin: Would just a file changed list be acceptable?

  48. Lee Saferite

    48Lee Saferite from Lake City, FL|posted September 3 2008

    @Kerry Hatcher

    Try using a diff program that will diff whole directory trees against each other.  WinDiff work in windows if you have it.  The number of changed files is not that big.  Mostly core model files.  They also made some changes for virtual products and ‘virtual’ quotes (paypal?).  Other than that, I didn’t see much else.

  49. Kerry Hatcher

    49Kerry Hatcher from Macon, GA|posted September 3 2008

    I just started a forum topic about this (trying to keep the announcement free of the whole “what should be released argument")

    Feel free to discuss the topic of what should be released there.

    I think we should try to see what the community as a whole would like.


  50. WhoIsGregg

    50WhoIsGregg from Tampa, Florida|posted September 3 2008

    In my case, I had a “clean” checkout of the subversion source code from yesterday, so when I did a checkout today it told me what files were changed:

    U magento/app/Mage.php
    U magento/app/code/core/Mage/Review/Model/Review.php
    U magento/app/code/core/Mage/Customer/Model/Customer.php
    U magento/app/code/core/Mage/Catalog/Model/Product/Compare/Item.php
    U magento/app/code/core/Mage/Catalog/Model/Category.php
    U magento/app/code/core/Mage/Catalog/Model/Product.php
    U magento/app/code/core/Mage/Core/Model/Store.php
    U magento/app/code/core/Mage/Core/Model/Website.php
    U magento/app/code/core/Mage/Core/Model/Abstract.php
    U magento/app/code/core/Mage/Core/Model/Store/Group.php
    U magento/app/code/core/Mage/Sales/Model/Order.php
    U magento/app/code/core/Mage/Sales/Model/Order/Invoice.php
    U magento/app/code/core/Mage/Sales/Model/Order/Shipment.php
    U magento/app/code/core/Mage/Sales/Model/Order/Creditmemo.php
    U magento/app/code/core/Mage/Tag/Model/Tag.php
    U magento/STATUS.txt
    U magento

    The STATUS.txt document actually has two new lines that are helpful, so perhaps details will always be in that file:

    > Added admin area check function into _beforeDelete methods of some models
    > Fixed merging compare lists

    Everything else comes from using BBEdit and Subversion to run diffs against the most recent revision. It’s not hard (iow any hacker could do it) it’s just time consuming (iow why ask your volunteers to do work that’s already been done).

  51. Kerry Hatcher

    51Kerry Hatcher from Macon, GA|posted September 3 2008


    You ever need any help with something you let me know!!!!


  52. WhoIsGregg

    52WhoIsGregg from Tampa, Florida|posted September 3 2008

    @Kerry Hatcher

    Thank you! I’ve moved my ramblings over to the forum thread that you started. smile But I figure this blog is still a good place to discuss details regarding this specific update which brings me to:

    @Lee Saferite

    I’m not seeing the changes related to virtual products or virtual quotes… What files are involved with those?

  53. Kerry Hatcher

    53Kerry Hatcher from Macon, GA|posted September 3 2008


    Are you having problems with those? (sorry to butt in)

  54. Lee Saferite

    54Lee Saferite from Lake City, FL|posted September 3 2008


    Sorry, my mistake.  that’s what happens when you hold of upgrading.  I was comparing 1.1.2 <-> 1.1.4 so please forgive any confusion.


  55. WhoIsGregg

    55WhoIsGregg from Tampa, Florida|posted September 3 2008

    Nope no problems with virtual products. I’m still working my way through the basic configuration of the site. smile

    I just wanted to see if those changes were related to the security update.

  56. Fireburst

    56Fireburst from Seaford, UK|posted September 3 2008

    I ended up with an internal server error when I upgraded using Magento Connect Manager. It’s only a test site so not a problem but the site was a clean install previously and left untouched so a little worrying that the upgrade fell down.

  57. Kerry Hatcher

    57Kerry Hatcher from Macon, GA|posted September 3 2008

    Turns out the error I had (see my earlier posts) was related to a javascript problem that was fixed by this forum topic:

    The last update also had broken the site but the other guy working on our project had fixed it without me knowing it.


  58. eliteeternity

    58eliteeternity |posted September 3 2008

    Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/home) is not within the allowed path(s): (/home/myusername/:/tmp:/usr/local/lib/php/) in /home/myusername/domains/ on line 263

    I’m running two magento stores. One store has the default magento theme, and the other has the modern theme. I get this error when I try to apply this update to the modern theme site. The default theme accepts the update just fine.
    Anybody know what the deal is? Any help would be appreciated

  59. Anton Makarenko

    59Anton Makarenko from Los Angeles, CA|posted September 3 2008

    @Lee Saferite, @Eric Bartels
    1) We determined a security exploit and fixed it.
    2) _protectFromNonAdmin() - this is not the fix. This func will help keeping major models protected in case of similar bug in a community module, for example.
    “Caution is the parent of safety”.

    3) _substractQtyFromQuotes()
    It’s just about database integrity (severity - design improvement), and has no relation to release 1.1.4. Will be moved from Product Model to Sales Observer in future versions.
    I’ll try to explain
    Let’s think in scope of product/quantity/quote - what are these things? In human words, this mean quantity of a position in shopping cart. What happens, if a product deleted? It will be deleted from all carts automatically, by database core. But shopping cart is designed in such a way, that its quantitiy is aggregated. So, we simply reaggregate all shopping carts when a product is deleted.

  60. Webunity

    60Webunity |posted September 4 2008

    “The Magento version 1.1.5 release is scheduled for later this month. Version 1.1.5 will include many bug fixes for Magento 1.1.x. We will announce the final date of release as it becomes current.  “

    First of all; congrats on the 1 year birthday of Magento! Does 1.1.5 involve any updates to the templates that are currently being used?

    One tip: If you can build something like this into the upgrader, it would be very very cool!
    - Whenever an upgrade of the templates is happened, check to see if there are any active custom designs, and compare them to the original templates; give the user a list of the templates that have been changed compared to the version they previously had installed. This would save a lot of time!

  61. harikaram

    61harikaram |posted September 4 2008

    I agree, hiding bug fixes does seem a bit odd.  Isnt the whole premise behind open source software is that the openness *increased* security?

    Happy birthday!  Keep up the fantastic work! Beautiful code and amazingly flexible.  Do you guys want to build a CMS too??

    Hari Karam Singh

  62. CigarLover

    62CigarLover |posted September 4 2008

    Thank you for update!

  63. WhoIsGregg

    63WhoIsGregg from Tampa, Florida|posted September 4 2008

    @Anton Makarenko

    Thank you for explaining the _substractQtyFromQuotes() function. That’s basically what I understood it to be, so I don’t feel too dumb. smile

    > 1) We determined a security exploit and fixed it.
    > 2) _protectFromNonAdmin() - this is not the fix.

    Forgive me if I am misunderstanding anything about this release. I admit I assumed that a critical security update would only contain the fix for that particular security issue. In the future I will check every file, not just a random sampling. smile Now that I’ve checked every updated file, I see there was one file that had a different change applied.

    Is the removal of ->useProductItem(true) on line 83 of /app/code/core/Mage/Catalog/Model/Product/Compare/Item.php the actual fix?

    Unfortunately, I’m not yet familiar with the architecture of Magento so I’m probably going to make myself look rather ignorant… From looking at line 82 setObject() is called to set the $visitorItemCollection object class to “catalog/product_compare_item” then on the next line that object class is overwritten to “catalog/product” by the (now removed) ->useProductItem(true) call?

    There are a couple other instances of Mage::getResourceModel(’catalog/product_compare_item_collection’) being called with ->useProductItem(true). Are those affected by this exploit as well? Or is this solely related to how $visitorItemCollection is used in the bindCustomerLogin() function?

    Thanks in advance for any insight you can provide. smile

  64. Lee Saferite

    64Lee Saferite from Lake City, FL|posted September 4 2008

    Ok, now that we figured out what the actual bug was, my company is satisfied that our code is not vulnerable.  However, better communication about bug fixes in the future will prevent us from wasting hours tracking down WHAT the bug was so we can validate that our code is not vulnerable.

    And I still believe you could have explained the bug without explaining the exploit.  Out of respect for your decision I will not give an example and simple hope you explain the next security bug.

  65. lisali

    65lisali from London, UK|posted September 4 2008


    Thanks for the update. But it will not update through Magento Connect. It just gets stuck after having downloaded the package and does nothing…

  66. talofo

    66talofo |posted September 5 2008


    Thanks for the update. But, after I made refresh I get this:

    500 Server Error
    The web server encountered an error or misconfiguration and was unable to complete your request. If this error persists, please contact the webmaster, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    I’ve use Magento Connect to make this update on a fresh new 1.1.3 instaltion.

    I’ve change, on the options available by the installation script of the 1.1.3, the default names for the store. So I have change the /magento/ to /loja/ and the admin to /loja_admin/ could this be THE problem?

    I really have no idea how to solve this now. I even can’t get to admin section.

    I’ve made a backup on the admin section, but how can I use it.

  67. Fireburst

    67Fireburst from Seaford, UK|posted September 5 2008


    The same happened to me when I updated using Magento Connect. The site I updated was only a test site so I did a clean reinstall to fix.

    regarding restoring the backup this thread may help

  68. talofo

    68talofo |posted September 5 2008

    Thanks a lot Fireburst.

    My problem was a permission problem. Somehow the permission set of the index files was changed… I don’t know how, yet. I have change the permissions to LOWER ones, and I will test the script again.

    Lets see how it goes now…

  69. oxygen

    69oxygen |posted September 5 2008


    I had the same problem. I used Magento Connect Manager to upgrade. The status screen went blank after I clicked Install. I waited for 10 min, nothing happened and I decided to return to my Admin page. Luckily, my Admin is still there and my shop is still alive.

    I really don’t know what happened.

    Btw, I was trying to upgrade from 1.1.1 to 1.1.4.

  70. bmanwithab

    70bmanwithab from Dallas, Texas|posted September 5 2008

    can they not just send out a package and we all just upload via ftp to the server like EVERYONE else.  My Magento Connect Manager has not worked since day one.  I put in the key and it says a bunch of stuff at the bottom and then it times out and I am left with the same thing I has 20 minutes prior to even attempting to upgrade.  I still have not upgraded from 1.1.2 because the its so hard to upgrade.  MAYBE that should be in the 1.1.5 release.  EZUPGRADE good name for a new module or whatever.  I think I will go back to Joomla and VM, at least I can upgrade that one.

  71. Kerry Hatcher

    71Kerry Hatcher from Macon, GA|posted September 5 2008

    I’ve never had a problem with the Connect Manager (other than I don’t know what files are getting changed)

    we have upgraded from 1.1.1 to 1.1.2 to 1.1.3 and 1.1.4 with not problems (associated with the actual upgrade process)

    I would suggest posting your idea to the “feature requests” forum if you would like to see a new feature.

    Also have you posted your problems to the forums? If you have then post the link and I’ll take look at them for you.


  72. Kerry Hatcher

    72Kerry Hatcher from Macon, GA|posted September 5 2008

    "with not problems” = No problems smile

    I do wish these comments where editable

  73. YoavKutner

    73YoavKutner |posted September 5 2008

    @bmanwithab - if your core is intact you should be able to download the full release from the download page ( )and upload it to your server.

    Please note that we do not recommend upgrading your production site directly before verifying that the upgrade does not break any of your customizations.



  74. bmanwithab

    74bmanwithab from Dallas, Texas|posted September 5 2008

    Though I do appreciate the offer, it won’t do any good.  I will have to just start over.  I have looked on the forums and even outside the forums, and still no answers.  I am not the only one so I know its not just me.  I am not a complete noob to all of this.  They just make everything too hard to do for something that is now 1 yr old.  Why rewrite something that everyone else has already done, and they have done it better, learning from their mistakes.  Why start from the bottom, use whats there and improve on it.  I like the way Magento is layed out, but just can not deal with the constant headache that occurs every time they release an update.

    I just tried to update again and now my entire site is down and so I will be on the forums for 2 days hoping to fix it.
    Maybe in another year this will be good enough to run in the real world where people are not php coders and program analysts.

  75. notzippy

    75notzippy |posted September 5 2008

    One thing I found out early is that you cannot simply clone a directory and expect Magento Connect Downloader to work - because it will not. It will only work if the folder structure is exactly the same as the original install. And (of course) the original install was done with the downloader.

    The second thing is that you will always need to run chmod on your files and folders after the upgrade because the file permissions will be reset to 777 and on some webhosts this will cause issues.

  76. bmanwithab

    76bmanwithab from Dallas, Texas|posted September 5 2008

    If I download the release and upload it and over write everything, won’t it reset all of my customizing I did to the templates and whatever else I did.  Its been a while since I customized the thing, and I am not going to be able to remember how to make all that the same again.

  77. Lee Saferite

    77Lee Saferite from Lake City, FL|posted September 5 2008


    I know it’s probably not the best answer, but learn how to use a diff program and generate diff files via the subversion repository.  It will save you countless headaches when upgrading and usually not even overwrite your modifications.

  78. bmanwithab

    78bmanwithab from Dallas, Texas|posted September 5 2008

    what does that even mean....  Learn more stuff to make this one work.  That statement alone is enough to make someone switch to anything else. 

    I do thank you for the attempted help.  This is not the help forum though and I have wasted too much time on this already.  I STILL have not been able to get this upgraded from 1.1.2 but somehow managed to have my .htaccess file changed, I fixed that one.  Funny thing, nothing else seemed to have changed....
    Whatever, maybe 1.1.6 will be the turning point in the life that is Magento.

  79. YoavKutner

    79YoavKutner |posted September 5 2008

    @bmanwithab - if you customized code directly in the core or applied changes to the default themes directly these changes will be overwritten.

    In the case of overwriting core code - I guess this will take some time on your end to move these customization and write them as local extensions.

    In regards to theme you are in luck just copy your current theme as create it as a local theme then upgrade.

    I hope this helps


  80. viovao

    80viovao from Denmark|posted September 5 2008

    Update went well here smile

  81. piotrekkaminski

    81piotrekkaminski |posted September 6 2008

    @talofo: The 500 Server Error usually means issues with your .htaccess file. If you made any changes to it in previous installation (sometimes required in certain hosting environments), make sure the changes are still there.

  82. lisali

    82lisali from London, UK|posted September 6 2008

    I have tried about 20 times and still can not upgrade through Magento Connect. What to do??

  83. iconsol

    83iconsol from Berlin, Germany|posted September 6 2008

    i tried to update with the Magento Connection Manager but if i select the beta state and go back to check for upgrades nothing is happen!

    What’s wrong with that?

    Can somebody help me to upgrade Magento 1.1.3 to 1.1.4?

  84. notzippy

    84notzippy |posted September 6 2008

    @YoavKutner: Yes I do change the core - but the reason for this is to fix problems I encounter in the core. I put bug reports into bugtrac but never see any response to them nor can I find them afterward. Like I said in this post (which never got a single reply) it is impossible to find your submitted bug reports or even to know if they have been acknowledged. I also posted 2 fixes (in that forum message) to the import mechanism that affect the core. I do appreciate the work but I feel like a third class citizen..

  85. coronac

    85coronac from Florida|posted September 7 2008

    thanks for the update!

  86. MIJeff

    86MIJeff |posted September 7 2008


    I have absolutely no experience with website design, or e-commerce whatsoever, but I am trying to help my nephew set up his e-commerce store.  We have managed to get the website up and running, but now we need to upgrade from Magento 1.1.3, to Magento 1.1.4.  According to what I have read so far we need to put our web store in maintenance mode, and turn off, (disable) plug-ins in our current version of Magento prior to installing the update its version of Magento.

    Can you give me any information about how I go about doing this?  I’m totally confused and our web host is of absolutely no help whatsoever.  In fact, they seem to be more interested in setting us up to one of the website design companies they recommend rather than answering our questions with straightforward answers.  In fact, they have repeatedly given us misinformation and caused us to start all over from scratch several times now, and were really getting sick and tired of them.  Unfortunately though we have signed up for our web host for a full year, (due to the savings they offered us) so we are stuck with them as it is, but we really need to get our web store going as soon as possible.  Partially due to our own ignorance and to a great extent of beating misled by blue host… we’ve already wasted 38 days of our yearly subscription of our web host, and we still haven’t gotten our web store up and running.  I would definitely appreciate any help you could give me with regard to getting me off and running!!!  We have found the Magento installation and setup guidei to be very confusing when trying to set up our web store using the guide step-by-step, because it seems that the guide is a few versions earlier than the Magento 1.1.3 version we’re trying to set up.  Thank you in advance for any help, guidance, or assistance you can give me…


    PS.  My e-mail address is: and once again thank you for considering to help me!

  87. computersolutions

    87computersolutions from Shanghai, China|posted September 8 2008

    Personally I’d feel better if some of the bugs were fixed before security issues.

    Out of the box 1.1.1 through to 1.1.4 are broken, and don’t work correctly.

    Mostly due to operator overloading errors -

    Eg things like
    Issue #6051

    While I see that these are allegedly going to be fixed in 1.1.5, its been 3 releases, and those bugs are still there.
    Its a pain to have to patch the source every single time for a new installation....

  88. cyfer

    88cyfer |posted September 8 2008

    Great to see some progress in the Magento development.

    When this is said i think it is unbelievable that the uploading of product pictures has still not been solved. There are many, MANY MANY people who experience this issue. This is no news. I think it is safe to say that this is a critical error and should be dealt with on high priority level. A web shop with no images? Doesn’t sound right does it?

    I am still running the 1.1.1 version as this is the latest version to date that has a working image upload function.

    Please Magento team. You should really have a look at this issue!

    Otherwise thanks for a great system, and I’m sorry for the burst out - but i find it very frustrating that nothing is being done about the above mentioned…

  89. computersolutions

    89computersolutions from Shanghai, China|posted September 8 2008

    @cyfer -

    Have you reported the bugs?
    If so, what are the bug #’s?

    My issue is with bugs that are reported, fixed, but still in there 3 releases later..., sigh.
    Out of the box magento does not work correctly.  Thats not a good thing for prospective developers.

  90. cyfer

    90cyfer |posted September 8 2008

    @computersolutions -

    I did report the bug for 1.1.2 because this was the first time i experienced the issue.. But searching the forums and bug reports you’ll easily find lot’s of people who encountered this problem.

    My bug report however is this one:
    Issue # 6353

  91. MIJeff

    91MIJeff |posted September 8 2008

    I need to put our web store in maintenance mode, and turn off, (disable) plug-ins in our current version of Magento prior to installing the updated version of Magento, (version 1.1 .4).  Does anyone in this forum know how I go about doing that?  Thank you in advance for any help you can give me, because I’m really getting tired of wasting time.  Thanks, Jeff

  92. bmanwithab

    92bmanwithab from Dallas, Texas|posted September 8 2008


    I feel the same way about “wasting time”.  I have converted my entire database back to good ol’ easy to use VM and am in the process of rebuilding.  Until Magento can run and update like ALL the other commerce site out there, I am going to have to call it quits.  I have wasted days just trying to upgrade and STILL can not get it to work.  Oh well.

  93. Danimaltron

    93Danimaltron |posted September 9 2008

    I’m using 1.1.3 and when I try to upgrade from MagentoConnect using this key:

    I get the following error message:magento-core/Mage_All_Latest

    Ignoring installed package magento-core/Mage_All_Latest
    Nothing to install

    Can someone help?

  94. oxygen

    94oxygen |posted September 9 2008

    I am also on 1.1.1 and it has been running fine.

  95. open_b00k

    95open_b00k |posted September 9 2008

    I have just upgraded our store from 1.1.1 to 1.1.4 with absolutely no glitch. Kudos to both the Magento developers and my webhoster team for making this a no-pain upgrade. All my customization (admittedly few) and products were in tact. Site looks great.

    Considering that this is a FREE ecommerce package, i am prepared to put up with new software growing pains, and AM most grateful for all the developers who volunteered their time.

    Out site has not been released for full production, hopefully, after 1.1.5 release, i will be able to do so.

    Thanks again all, and keep up the good work!!

  96. Lee Saferite

    96Lee Saferite from Lake City, FL|posted September 9 2008

    Ok, because all of this ‘I’m running 1.1.1’ and I fine stuff is worrying me, I will say this to people again.  UPGRADE.  Seriously, if you have a production site and you do not upgrade, I can come along and DELETE ALL YOUR PRODUCTS!  Now, I don’t know about you, but I think it’s hard to sell stuff when people delete your product catalog.  So, for your own good, upgrade.  Or if you are just that stubborn, PM me and I can tell you the one line that makes the difference so you can manually fix it.

  97. Mishagos

    97Mishagos |posted September 10 2008

    I’m right brand new, just installed magento via SSH, but apparently the SSH wiki wasn’t upgraded to 1.1.4.

    I have NO idea how to upgrade. I’ve tried the magento-core/Mage_All_Latest on Magento Connect, but I got this:

    parsePackageName(): invalid package name “Mage_All_Latest “ in “ “
    invalid package name/package file “ “
    Cannot initialize ‘ ‘, invalid or missing package file
    Install Errors
    Package “ “ is not valid
    PEAR ERROR: install failed

    Didn’t see anything about that here.

    Tried just Mage_All_Latest, and recieved “Invalid package name.”

    I can’t seem to find anything obvious about HOW to install upgrades on the site. What am I not seeing, folks? Where should I go to find this info?


  98. Mishagos

    98Mishagos |posted September 10 2008

    Oh. Mine is 1.1.2

  99. Rmartin77

    99Rmartin77 |posted September 10 2008

  100. talofo

    100talofo |posted September 10 2008


    Thanks. It was a permission problem because I cannot have in my host the folders or files with 666 or 777 attributes. If I put them with 775 it works perfectly and I have no permission issues till now.

    But I suppose that it was the update Magento Script that have changed the .htaccess and other spectifc folder permissions to 777 and/or 666. If that’s the case, then, eatch time I run an Update to Magento Connect my site will became inavailable and I have to rewrite the permissions to 775 so it can work fine with my Host.

    Here his my host support talking:
    Please note that our servers are running SuExec, which is the most secure environment for a shared hosting server. The scripts are run with the user of their owner (your Control Panel user) and not with the user of the web server. Thus, if a script has to be able to write to a file/directory - world-writable permissions are no longer needed. Actually, such permissions are considered as insecure and files with world-writable permissions (666, 777) will not be executed (will result in 500 Server Errors).

    Please set the permissions of your PHP scripts to 664 and let us know if you still experience problems.

    Can Magento Team do something to this, when we use Magento Connect ?


  101. Aaron_Shaffier

    101Aaron_Shaffier |posted September 10 2008

    I ran the upgrade through Magento connect and it crashed my whole site.  Now I get a 500 error.  Any advice?

  102. cyfer

    102cyfer |posted September 10 2008

    @ Lee Saferite -
    It’s great that you are all pro update… Reality however is that it will not be possible to go into production with a system where you can’t upload pictures of your products…
    Currently i am not in production but are planning to do so soon - with or without an updated magento system.

    I do however know that it is something with the host i’m using that is blocking this as when running on a local environment there is no problem. Changing host is not a solution for me and it shouldn’t be necessary - and anyways i blame the crappy flash upload function for the problem.

  103. Lee Saferite

    103Lee Saferite from Lake City, FL|posted September 11 2008


    I understand reality/perfection, I’m just trying to drive home how important it is to get this security update.  Literally, I can delete your entire product catalog as an unprivleged user in a matter of seconds/minutes.  Varien is not explaining the problem for fear of someone exploiting the issue.  I can understand the reluctance to inform the community of the gravity of the situation, but it has causedlots of people to not upgrade because they do not see the need.

    So, to everyone who has NOT upgraded, do so.  If you need a simple fix for the problem, PM me an I can tell you the file and line-number where the problem is so you can at least fix the bug in your current version.  You owe it to yourself and/or your clients.

    a.k.a. Chicken Little

  104. cyfer

    104cyfer |posted September 11 2008

    @Lee Saferite

    I completely agree with you when it comes to security updates.. But security updates are useless if the product you are security updating isn’t working… But anyways, no need for discussion as we basicly have the same opinion.

    Folks go ahead and update.. Security is important and you should ALWAYS have the latest version installed when fooling around with opensource systems smile

  105. lisali

    105lisali from London, UK|posted September 11 2008

    Well - I wish I could update - but Magento Connect manager WILL NOT LET ME!

  106. Fireburst

    106Fireburst from Seaford, UK|posted September 12 2008

    In all honesty I don’t feel Magento is mature enough yet for a production environment with far too many problems with patching (even vanilla installs).

    I think this needs to have the full focus of the team until it can be sorted out properly so sites can patch critical flaws as soon as the patch comes out.

  107. marc_j

    107marc_j |posted September 12 2008

    Another user spreading FUD and nonsense (@Fireburst)

    Read this for comments on ‘Is Magento Ready’ -

    Short version - YES.

  108. notzippy

    108notzippy |posted September 12 2008

    I too feel censorship is not open source!

    I’m sorry I cannot credit the author since my alerts only show me the comment, but here it is again since it was already removed once..

    Yoav, well, since you won’t accept my response to the censorship in PM
    form, I’ll just post here.

    You have a bug that is extremly serious and you out out a security update
    that a large portion of the community seems to have a problem installing.
    Heck, most of the site you list in ‘Magento Spotting’ are STILL
    vulnerable. Even some sites that THOUGHT they were good are vulnerable. I
    posted a ‘quick fix’ for those unlucky/foolish ones that cannot/will not
    upgrade. I did not detail the exploit or anything. I gave no more info that
    you could get from a simple diff of the 1.1.3 and 1.1.4 release. I was
    trying to help the less technically able members of this community.

    And what do I get? Censored. Thanks.

    For the record, I like Magento. I think Varien is doing a great thing
    releasing it. But the handling of this security flaw is sickening. You
    haven’t made the community understand the gravity of the problem and some
    think they can just wait for a later version. Shame on you.

    And, in the future, maybe you could accept a PM reply to a PM message
    explaining why you censored me, it would prevent this discussion happening
    on your Blog.

  109. Fireburst

    109Fireburst from Seaford, UK|posted September 12 2008


    I am commenting on my own experiences thus far. My opinion stands as you are entitled to yours. The thread linked to showed that 30% think it is not ready which is a sizeable chunk.

    Mangento is a very exciting project that will will mature and become very popular. I just don’t feel it is quite there yet.

  110. Mishagos

    110Mishagos |posted September 12 2008

    Folks, it would be really helpful to those of us trying to figure this software out and use it if you all would address people’s problems here (i.e., HOW DO I UPDATE) rather than having little back and forth petty arguments about whether Magento is ready or not or open source or not. Thanks.

  111. Mishagos

    111Mishagos |posted September 12 2008

    I mean, if you want to argue about something, make it really productive, like whether your dad can beat up his dad or something, k? Good lord.

  112. Lol

    112Lol from Plymouth, UK|posted September 14 2008

    I ran the upgrade to 1.1.4 on my development server via the MC manager - it took just fine.

    Then I upgraded the production server and it updated like a charm too.

    Thanks Magento team! You rock.

  113. -Chop-

    113-Chop- |posted September 19 2008

    Ok, NOW i’m worried, reading all the above, i’ve just spent the best part of my weekend (last week - was raining and had nothing else to do...except mow the the wet - but that’s a whole nuther story) so my mate and i installed Magento to use for my new business...should i be worried - i’m running 1.1.4, have no real idea what i’m doing so keep trolling through the user manual line by line by line......{yawn}

  114. Fireburst

    114Fireburst from Seaford, UK|posted September 19 2008

    @ -chop-

    Don’t be unduly worried, my comments reflect my view of using Magento as my tool of choice when a client wants an online store to be built and the amount of time I would need to spend managing the store.

    For a store for yourselves then I think Magento is more than viable as long as you follow the usual precautions before rolling out updates (backup, backup and backup).

    You should also update to the latest version 1.1.6

  115. -Chop-

    115-Chop- |posted September 19 2008

    it’s not actually going to be my store, i’m looking to run a 3PL and want my clients to login and see their products and only theirs - i don’t actually have products just services but i’m still a little sceptical as to whether Magento is the way to move forward, suffice to say i need somehting that allows my clients to order their own items online, but will this do the job...dunno…

  116. paypal bingo

    116paypal bingo |posted February 10 2009

    My 3 hp briggs doesnt have spark , it has good points and magento, and i can feel charge?
    no spark on a good plug but i can feel a spark in my fingers where the spark plug meets magento wire. How do i set the plug up to make it spark good, should there be a ground?

  117. caricell

    117caricell |posted September 25 2009

    Trying to reach anyone in this blog who is familiar with Magento and is willing to assist a newbie with a new site that was set up for me by someone who no longer can support it. I have a number of issues with it, most performance related, and I dont know where to turn. For one, the Adminpanel is almost completely unusabl;e at the moment.

    The site is actually my Dad’s. He’s 87 years old and doesnt have a lot of money to pay for help. I just would like to get someone who can work on this at their own pace, and be reasonable in charging.

    If anyone here would like to find out more, and would be willing to look at the site, please contact me at:


  118. ofilmizle

    118ofilmizle |posted October 17 2009

RSS: This Entry| All Blog Posts (RSS)