Magento CE ver. 18.104.22.168
Recently we were asked by Worldpay to install the latest Magento security patch SUPEE-9767 for a client. The patch was released on May 31, 2017 and then updated with version 2 on July 12, 2017. If you have installed the original patch you will need to revert it prior to installing version 2. The patch provides protection against several types of security-related issues. Specifically, it protects against remote code execution, information leaks, and cross-site scripting.
Download SUPEE-9767 Patch
To download the SUPEE-9767 v2 security patch you’ll need to head on over to the Magento Tech Resources download page. From there you can access all the security patches released by Magento under the “Release Archive” tab. Scroll on down until you find the heading “Magento Community Edition Patches – 1.x”. Look for the SUPEE-9767 v2 security patch and then select your format for download. Your format for download is the version of Magento Community Edition that is installed on your server. Here are further instructions explaining how to download and install a patch. You will need to upload the patch into your Magento root directory in order to apply it.
Before Installing SUPEE-9767
By all means, make sure you read about the SUPEE-9767 security patch released by Magento before installing it. Under the “Note” Section of this page, it says to disable the Symlinks setting. To do so, go to System => Configuration => Advanced => Developer => Enable Symlinks. You will need to “disable” Symlinks. Because, if enabled, Symlinks will override configuration file settings.
But in our instance, for this client, the feature was found in a different location for Magento version 22.214.171.124. We found it in System => Configuration => Advanced => Developer => Template Settings => Allow Symlinks. Select “No” to disable this feature. There is a warning found below the field that reads “Warning! Enabling this feature is not recommended on production environments because it represents a potential security risk.”
Please note, disabling the Symlinks option can also break some deployment workflows. Furthermore, according to Magento, there are known issues when using MODMAN with symlinks. More information can be found here.
To install a Magento security patch you will need to use a third party tool called PuTTY. PuTTY is open source that is a client program for the SSH, Telnet and Rlogin network protocols. Find out more about PuTTY here. Again, you will need to upload the patch into your Magento root directory in order to apply the patch.
Log into PuTTY by connecting to your hosting account or server with your root user name and password. Then change the directory to where Magento is installed by using the cd command “cd /home/(USER)/public_html”. To apply SUPEE-9767 security patch, execute Magento’s code “sh PATCH_SUPEE-9767_CE_126.96.36.199_v2-2017-07-11-11-01-10.sh”. In our case, we got “ERROR: Patch can’t be applied/reverted successfully”. Lucky us! Thankfully, the website and Magento admin panel still seem to be intact and functioning.
Error Installing SUPEE-9767
can't find file to patch at input line 1166 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- diff --git downloader/MagendConnect.php downloader/Maged/Connect.php index 95bc1e4,,ee55176 100644 --- downloader/Maged/Connect.php +++ downloader/Maged/Connect.php --------------------------- File to patch: Skip this paty? [y] Skipping patch. 3 out of 3 hunks ignored can't find file to patch at line 1198 Perhaps you used the wrong -p or --strip option? The text leading up to this was: --------------------------- diff --git downloader/Maged/Controller.php downloader/Maged/Controller.php index 88839f5..7dd056c 100755 --- downloader/Maged/Controller.php +++ downloader/Maged/Controller.php --------------------------- File to patch: Skip this patch? [y] Skipping patch. 2 out of 2 hunks ignored can't find file to patch at input line 1261 Perhaps you used the wrong -p or --strip option? The text leading up to this was: --------------------------- diff --git downloader/Maged/Model/Session.php downloader/Maged/Model/Session.php index ce9b584..80f9d41 100644 --- downloader/Maged/Model/Session.php +++ downloader/Maged/Model/Session.php --------------------------- File to patch: Skip this patch? [y] Skipping patch. 2 out of 2 hunks ignored
Here’s How We Fixed It
Seems like the Magento security patch is trying to access the downloader folder which we removed from the Magento files as recommended by Magento for security purposes. Therefore, we will need to upload the backup downloader folder stored off-site and try the patch again. Hopefully with success this time. Woohoo! As a result, of uploading the backup downloader folder we were able to apply the patch with a “Patch was applied/reverted successfully” message.
Once that is done, refresh the cache in the Magento admin panel under “System > Cache Management” so that the changes will be reflected. The website and the Magento admin panel appear to be in working condition. A success! We also tested the shopping cart checkout process and verified that orders were still coming in through the backend of Magento.
Important Formkey Validation Message
After refreshing cache, we received the following message at the top of the Magento admin panel: “Important: Formkey validation on checkout disabled. This may expose security risks. We strongly recommend to Enable Form Key Validation On Checkout in Admin / Security Section, for protect your own checkout process.”
To activate this feature please read our blog post on how to enable Magento formkey validation on checkout, (fix included).