Patching SUPEE-9767 v2

SUPEE-9767 v2 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the download section - or via MDA - the Magento download tool (this is what this guide will use).



If your store uses symlinks (ie. through the use of modman you should not install this patch until you have removed all symlinks. The v2 patch will forceably disable symlinks on installation which could cause immediate damage to your store.

Check whether symlinks are used in your installation, if they are, then halt the installation of the patch until you have resolved the use of symlinks.

cd /microcloud/data/domains/example/domains/
find -L . -xtype l -printf "Symlink found"

SUPEE-9767 v1

If you installed the original SUPEE-9767 v1 patch, then this needs to be removed before proceeding.

bash -R

Applying the patch

The application of this patch is relatively straightforward. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Download the patch files to your computer and upload to the document root of your store
  2. Install the SUPEE-9767 v2 patch,

     cd /microcloud/data/domains/example/domains/
  3. Then clean the store cache,

     mr_examplecom cache:clean

Known issues

Form Keys

Form keys must be manually added to the store template (if using anything other than the default Magento design). An automated approach may be able to be followed to add the missing form keys,

cd /microcloud/data/domains/example/domains/
find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
  | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'

find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
  | xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'

Thanks and credits to Fabian Schmengler for the above command.