If you have SSH access, it would be more simple to apply the patch via SSH.
If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.3.3 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405, SUPEE-8788, SUPEE-9652, SUPEE-9767).If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

 

Preparations

  • Disable Magento Compiler and clear compiler cache
  • Disable Symlinks setting
    In Magento backend navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already:

 

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.

The following files are changed by SUPEE-9767

To install the patch via FTP/File Upload

  • select patch bundle archive corresponding to your Magento version from the table below and unpack it
  • upload all files and folders to Magento root directory of your store, replacing all files
Magento version SUPEE-9767
1.9.3.2 SUPEE-9767-1.9.3.2
1.9.3.1 SUPEE-9767-1.9.3.1
1.9.3.0 SUPEE-9767-1.9.3.0
1.9.2.4 SUPEE-9767-1.9.2.4
1.9.2.1 SUPEE-9767-1.9.2.1
1.9.2.2 SUPEE-9767-1.9.2.2
1.9.1.0 SUPEE-9767-1.9.0.1
1.9.0.1 SUPEE-9767-1.9.0.1
1.8.1.0 SUPEE-9767-1.8.1.0
1.7.0.2 SUPEE-9767-1.7.0.2
1.6.2.0 SUPEE-9767-1.6.2.0
1.5.1.0 SUPEE-9767-1.5.1.0

Downloads for other versions added to table on demand when we patch certain version via file upload for the first time.

 

Enable Form Key Validation On Checkout (optional)

To take all advantages of SUPEE-9767 released on May 31, 2017 address several security issues, including Remote code execution through symlinks, Remote Code Execution in DataFlow, Remote Code Execution in the Admin panel, SQL injection in Visual Merchandiser and several XSS and CSRF issues.” class=”glossaryLink “>SUPEE-9767 patch it is recommended to enable form key verification for checkout at System > Configuration > Advanced > Admin > Security > Enable Form Key Validation On Checkout.

Note: Check with your theme developer if your theme is compatible before enabling that option as it can break checkout process.
Make sure that corresponding checkout template phtml files in your custom theme have form key fields included and custom opcheckout.js is updated.

These fields were added in this patch into default themes, so if you use default theme (base / rwd) or your theme does not override checkout pages, then you can enable Form Key Validation On Checkout right away.

Otherwise, check with your theme developer if your theme is compatible before enabling that option as it can break checkout process.

The following template files in your custom theme should be checked:

template/checkout/cart/shipping.phtml
template/checkout/multishipping/billing.phtml
template/checkout/multishipping/shipping.phtml
template/checkout/multishipping/addresses.phtml
template/checkout/onepage/billing.phtml
template/checkout/onepage/payment.phtml
template/checkout/onepage/shipping.phtml
template/checkout/onepage/shipping_method.phtml
template/persistent/checkout/onepage/billing.phtml

These files should include formkey line and you can add it just like in default template files:

--- app/design/frontend/base/default/template/checkout/onepage/payment.phtml
+++ app/design/frontend/base/default/template/checkout/onepage/payment.phtml
@@ -35,6 +35,7 @@
 <form action="" id="co-payment-form">
     <fieldset>
         <?php echo $this->getChildHtml('methods') ?>
+        <?php echo $this->getBlockHtml('formkey') ?>
     </fieldset>
 </form>
 <div class="tool-tip" id="payment-tool-tip" style="display:none;">

Other set of files to update are custom javascript files that override js/varien/payment.js and skin/frontend/base/default/js/opcheckout.js. These javascript files should be updated with the following:

@@ -711,7 +711,7 @@ Payment.prototype = {
         }
         var method = null;
         for (var i=0; i<elements.length; i++) {
-            if (elements[i].name=='payment[method]') {
+            if (elements[i].name=='payment[method]' || elements[i].name == 'form_key') {
                 if (elements[i].checked) {
                     method = elements[i].value;
                 }

 

Verification and flush of Magento PHP opcode cache

Flush Magento caches: Navigate in Magento backend to System > Cache Management and flush Magento cache and CSS/JS caches.

If you use PHP opcode caches (OPCache/APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Test that your store is working. Test Checkout process.