These instructions are for installing the SUPEE-6788 Magento patch bundle. More information on this patch bundle can be viewed at http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html.
Overview of SUPEE-6788
This security patch bundle addresses over 10 issues identified in the Magento security program, including remote code execution and information leak vulnerabilities. This particular patch bundle is complex as there are several changes implemented by Magento in closing these bugs that are not backwards compatible. So in short, some 3rd party extension vendors took shortcuts in coding that used to work, but will no longer work. The amount of extensions is exhaustive. For this reason, Magento have disabled the backwards incompatible code in this patch by default to allow for those extensions to work, while allowing you to immediately benefit from the rest of the patch.
Once you have had time to update the code in the impacted extensions or customisations, you can then disable backwards compatibility to enable the admin routing change so that the patch is fully enabled.
How to install SUPEE-6788
Step 1: Install Magento patch using SSH - see our KB article How to install Magento security patches
Step 2: Check for incompatible extensions. Any extensions with admin in the config.xml are likely to be incompatible.
To test whether you have incompatible extensions, run this via SSH from within your Magento root directory:
grep -lr '<use>admin</use>' app/
Here are a few usefultools and resources to assist in updating your code and to whitelist any necessary missing blocks:
1) Magento SUPEE-6788 Developer Toolbox -https://github.com/rhoerr/supee-6788-toolbox.This is an excellent tool which you can use to identify and fix any issues. Excellent documentation is provided with the script.
2) List of known incompatible extensions (community maintained Google Docs spreadsheet)
3) MageRun Addons (on GitHub) for the excellent n98-MageRun Magento command-line tool:use to find old-style admin routing in extensions and non-whitelisted vars/blocks that are incompatible with SUPEE-6788
4) Magento Security Centre - SUPEE-6788 Technical Details
Step 3: To improve security, disable the compatibility mode which will enable the admin routing change:
System > Configuration > Admin > Security: Admin routing compatibility = Disabled>
