Magento has released a new security patch SUPEE-9767 v2. This patch is of high priority and Magento 1.x merchants have to apply it immediately.
Magento Security Patch
This patch provides protection against several types of security-related issues, including remote code execution, information leaks, and cross-site scripting.
Before installing the patch, check if the old patches have been installed correctly. Some patches depend on other patches to be installed already. You can use magereport.com to check the patches installed in your site.
- Disable Magento Compiler and clear compiler cache
- Disable Symlinks setting. In the Magento backend, navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already.
- You can upgrade to the latest version (184.108.40.206), or revert SUPEE-9767 v1 and then you can apply the SUPEE-9767 v2 of the patch. Either option will resolve the issue.
- Be sure to test the patch in a development environment first, as it can affect extensions and customizations.
How to Revert a SUPEE-9767 v1 Security Patch?
Enter the following command to write to Magento files (typically, the web server user or root):
sh patch-file-name.sh –R
Installing the Patch:
If you have SSH access, it would be simpler to install the patch.
Before installing the patch make sure to disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache (if a compiler is used).
To apply and revert the Magento security patch, please refer the link below.
After Installing the Patch:
After the patch has been installed successfully, check whether all sessions, check out, shipping, payment and landing pages are loading correctly without any issues.
Magento security patch SUPEE 9767 v2 affects the page sessions, check-out, file upload, admin pages and downloadable products.
What are the Main fixes in SUPEE 9767 v2?
- Changed how Magento validates form keys during the generic five-step checkout process. Previously, customer registration failed during standard checkout processing if form key authentication was enabled.
- Magento now displays the Allow_symlinks message in the Admin message area as expected.
- Magento now preserves the background transparency of uploaded images as expected. Previously, transparency was lost after the image was uploaded, resulting in an unusable image. You can now use Checkout with Multiple Addresses when checkout form validation is enabled.
- You can now install an extension as part of installing a package.
- The Allow symlinks option is now disabled during installation or upgrade processes. Previously, when you changed the Allow symlinks setting to true in the database before upgrading and then installing the patch, this option remained enabled, but you could no longer access it from the Admin panel.
The patch adds <?php echo $this->getBlockHtml(“formkey”) ?> to the following template files:
Anybody overwrite in your local file. Please add formkey.
Hope this was helpful. Please post your queries if you face any issues in installation.