JUN 01 2017

How to install SUPEE-9767 without SSH

July 12, 2017: Community Edition and SUPEE-9767 version 2 patch address customer registration and other issues encountered by some merchants when using the original release or patch.
May 31, 2017: Community Edition and SUPEE-9767 Security Enhancements – 5/31/2017.
If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405, SUPEE-8788, SUPEE-9652, SUPEE-9767v2). If Magento upgrade is not possible in the moment due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article. If you wish to save time and have us to install these patches for you, simply click here to order installation.  


  • Disable Magento Compiler and clear compiler cache
  • Disable Symlinks setting
    In Magento backend navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already: template-symlinks-setting-in-magento

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.
Note: Make sure, that all previous patches including SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6788, SUPEE-7405 and SUPEE-8788 are applied as this patch should be applied on top of all previous patches.
Note: If you previously applied SUPEE-9767v1 (first version of this patch released on May 31, 2017) to apply new SUPEE-9767v2 version you can simply upload SUPEE-9767v2 files on top of it, it will replace all files from version 1
The following files are changed by SUPEE-9767 (version 2 for released on July 12, 2017):
  To install the patch via FTP/File Upload
  • select patch bundle archive corresponding to your Magento version from the table below and unpack it
  • upload all files and folders to Magento root directory of your store, replacing all files
Magento versionSUPEE-9767v2
Downloads for other versions added to table on demand when we patch certain version via file upload for the first time.  

Enable Form Key Validation On Checkout (optional)

To take all advantages of SUPEE-9767 patch it is recommended to enable form key verification for checkout at System > Configuration > Advanced > Admin > Security > Enable Form Key Validation On Checkout.
Note: Check with your theme developer if your theme is compatible before enabling that option as it can break checkout process. Make sure that corresponding checkout template phtml files in your custom theme have form key fields included and custom opcheckout.js is updated.
These fields were added in this patch into default themes, so if you use default theme (base / rwd) or your theme does not override checkout pages, then you can enable Form Key Validation On Checkout right away. Otherwise, check with your theme developer if your theme is compatible before enabling that option as it can break checkout process. The following template files in your custom theme should be checked:
These files should include formkey line and you can add it just like in default template files:
--- app/design/frontend/base/default/template/checkout/onepage/payment.phtml
+++ app/design/frontend/base/default/template/checkout/onepage/payment.phtml
@@ -35,6 +35,7 @@
 <form action="" id="co-payment-form">
         <?php echo $this->getChildHtml('methods') ?>
+        <?php echo $this->getBlockHtml('formkey') ?>
 <div class="tool-tip" id="payment-tool-tip" style="display:none;">
Other set of files to update are custom javascript files that override js/varien/payment.js and skin/frontend/base/default/js/opcheckout.js. These javascript files should be updated with the following:
@@ -711,7 +711,7 @@ Payment.prototype = {
         var method = null;
         for (var i=0; i<elements.length; i++) {
-            if (elements[i].name=='payment[method]') {
+            if (elements[i].name=='payment[method]' || elements[i].name == 'form_key') {
                 if (elements[i].checked) {
                     method = elements[i].value;

Verification and flush of Magento PHP opcode cache

Flush Magento caches: Navigate in Magento backend to System > Cache Management and flush Magento cache and CSS/JS caches. If you use PHP opcode caches (OPCache/APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches. Test that your store is working. Test Checkout process. If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.  

Posted in: Magento Maintenance

How to install SUPEE-9767 without SSH
50 votes, 4.39 avg. rating (87% score)
  • Anurag Khandelwal

    which one should I follow for magento version I guess it should be the one made for!

    • http://www.freshwebservices.com/ Eddie May

      From doing a filemerge & visual check between the patches for &, it looks like the only differences between the two are in locale csv files where there are references to admin security hardening introduced after Otherwise all the other files are identical apart from date differences in the copyright declaration.

      • Anurag Khandelwal

        Great thanks Eddie

  • Magee

    Hello – can you please upload the fix for magento 1.6.2 ?
    and a question – do I need all other patches BEFORE using this one? Or is this an “independent” patch ?

    thank you very much for your service!

    • magentary

      File for was just added to the table. And yes, there are lot of files changed, so there are common files with SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6788, SUPEE-7405 and SUPEE-8788 – all these patches should be applied before SUPEE-9767.

  • Daniel

    Hello – i’ve Magento -> can i use one of your Patches yet?

    • magentary

      File for was just added to the table

  • Scode

    Thank you as always for the non-SSH patch installation help. This one seemed to go ok, however there is now this notice in the backend:
    “Formkey validation on checkout disabled. This may expose security risks. We strongly recommend to Enable Form Key Validation On Checkout in Admin / Security Section, for protect your own checkout process.”

    I get the feeling if I enable that in settings it might break our checkout process (did some googling), but if I don’t there may be a bigger security risk than what we just patched? Is it usual to set this after installing SUPEE-9767? Thanks again.

    • magentary

      It is safe to enable this option with default theme (rwd or base theme) or with any new theme that have form keys in checkout forms. If custom theme have no form_key inputs in checkout forms, it will be impossible to submit form / proceed with checkout as Magento will ignore any input from checkout without form keys.
      Patching custom theme is straightforward task, it is required to add form keys input (one line) in the following theme files (for 1.9.x):

      If some files do not exist in the theme, it will use default ones, that are already patched by default.

      The option is created to protect from CSRF:
      Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details.

      The line to add into template files is usually like the following:

      <?php echo $this->getBlockHtml(‘formkey’) ?>

      • Scode

        How about the theme files locations for Thanks again Magentary.

        Also – if I enable Form Key Validation to test if checkout process works, and it then doesn’t work, will disabling that setting then allow it to work again til I input the fix? Thanks.

        • magentary

          Yes, sure, it is possible to disable Form Key Validation for checkout again and it will work just like it was always disabled.

          For the list of files is without addresses.phtml template:

          You can see the list of template files patched in app/etc/applied.patches.list file when patch is applied.

      • Vicky

        Thank you for the above information. So if I understand correctly, if it doesn’t have that last line of code in one of the files listed above, then we need to add it ourselves?

  • YV

    My custom theme use the path: “app/design/frontend/default/mytheme” and not “app/design/frontend/base/default”. The Form Key not work for this, only if I copy my custom theme to the folder “base”. How can I fix it in my “default” folder (path)?
    Magento version

  • Omar

    Please upload for also.

  • Omar

    Please upload for also

  • Sobana Devi

    i have updated SUPEE-9767 patch in CE through FTP. Everything works fine, except the confirmation mail for new account and new order. I m getting mail for “forget password” but not for new confirmation mail. But new account and orders are successfully updated in backend. Could you help me how could i trace and fix?

    Thank you

    • Vicky

      I can confirm that when I updated my theme files with getBlockHtml(‘formkey’) ?> I know don’t get email confirmations. I’m also on CE and my theme has recently been updated but didn’t have the formkey in the forms.

    • Sobana Devi

      Confirmation mails are working now. just changed the app/code/core/Mage/Core/Model/Email/Template.php template.php (line number:424)
      from : if ($this->hasQueue() && $this->getQueue() instanceof Mage_Core_Model_Email_Queue) {

      to: if (!($this->hasQueue()) && $this->getQueue() instanceof Mage_Core_Model_Email_Queue) {

  • Stokes

    Is there a reason why a patch for version hasn’t been uploaded yet? I’ve noticed on other sites that they seem to skip right over it as well. Any info about this would be greatly appreciated. Thanks!

  • Nafiz

    please upload

    • Anurag Khandelwal

      You can also follow the comments Eddie said on my same question for

  • sandy

    Can you guys plz add for magento version

  • Stokes

    So riddle me this…. I have uploaded all the new files in MY theme files and of course as well as the default just for the heck of it. When I log in to the backed of my store like I should I see up on the top the message “Important: Formkey validation on checkout disabled. This may expose security risks. We strongly recommend to Enable Form Key Validation On Checkout in Admin / Security Section, for protect your own checkout process.” Now when I go to the area to “Enable” this I don’t even see it there? What in the heck am I missing? I have ran my store through MageReport and it shows the Patch 9767 is installed so I would imagine I did all of it right. Any insight on this would be greatly appreciated. Thanks!

    P.S. I am running Magento if that matters at all.

    • Stokes

      Replying to my own question. I got it to work finally. Problems with uploading files that I didn’t see upload. Once I went back through and checked everyone of them I cleared the cache and then it showed.

  • Anna Sarotsky

    please upload for

    • Omar

      Did u install or still looking. if you found some where plz update here

      • Anna Sarotsky

        I’m still wating :(

  • Nancy

    Are the files for 1.8.1 the same as the ones for If not, can be added? Please?

  • Anurag Khandelwal

    @magentary:disqus I think for the version, you guys missed to add changes to this file “app/code/core/Mage/Customer/Model/Session.php”

    diff –git app/code/core/Mage/Customer/Model/Session.php app/code/core/Mage/Customer/Model/Session.php
    index 623fa39..b5e5eda 100644
    — app/code/core/Mage/Customer/Model/Session.php
    +++ app/code/core/Mage/Customer/Model/Session.php
    @@ -222,6 +222,7 @@ class Mage_Customer_Model_Session extends Mage_Core_Model_Session_Abstract
    + Mage::getSingleton(‘core/session’)->renewFormKey();
    Mage::dispatchEvent(‘customer_login’, array(‘customer’=>$customer));
    return $this;
    @@ -307,6 +308,7 @@ class Mage_Customer_Model_Session extends Mage_Core_Model_Session_Abstract
    + Mage::getSingleton(‘core/session’)->renewFormKey();
    return $this;

    Let me know if I am wrong!

    • magentary

      Patch bundle file for contains the changes quoted. Make sure that you have uploaded all files.

      • Anurag Khandelwal

        okay I see, you should change this line in your blog “The following files are changed by SUPEE-9767 (v1 relased on May 31, 2017):” and should include also “app/code/core/Mage/Customer/Model/Session.php”

        While verifying, I made a mistake.

  • Murad Khan

    Please upload for

  • https://www.cloudways.com/en/ Fayyaz Khattak

    This helped me a lot. Thank you! :)

  • Best Bear

    Hi Magentary. Just heard about a “SUPEE-8167″ patch today which I don’t think I’ve seen covered here – “…new PayPal IPN server location… required to keep PayPal processing transactions past June 30, 2017.” Will you be advising on how to install without SSH? Thanks as always!

  • Kirti Nariya

    I have need to update SUPEE-9767 patch in Enterprise edition Magento ver. and where to download SUPPEE-9767 for Enterprise edition

    • magentary

      You can download patches for EE from your account: log in to magento.com, in the left pane, click Downloads, in the right pane, click Magento Enterprise Edition, there should be all patches for your EE version.

      • Kirti Nariya

        Thanks Magentary!

  • MeltingPotWeb

    this patch has introduced a bug with uploading transparent png’s in the cms. Transparent backgrounds are now not honoured – they are converted to black. Anyone else found this?

    • Devlopment


      public function validate($filePath)
      list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
      if ($fileType) {
      if ($this->isImageType($fileType)) {
      //replace tmp image with re-sampled copy to exclude images with malicious data
      $image = imagecreatefromstring(file_get_contents($filePath));
      if ($image !== false) {
      $img = imagecreatetruecolor($imageWidth, $imageHeight);
      imagecopyresampled($img, $image, 0, 0, 0, 0, $imageWidth, $imageHeight, $imageWidth, $imageHeight);
      switch ($fileType) {
      case IMAGETYPE_GIF:
      imagegif($img, $filePath);
      case IMAGETYPE_JPEG:
      imagejpeg($img, $filePath, 100);
      case IMAGETYPE_PNG:
      imagepng($img, $filePath);
      return null;
      } else {
      throw Mage::exception(‘Mage_Core’, Mage::helper(‘core’)->__(‘Invalid image.’));
      throw Mage::exception(‘Mage_Core’, Mage::helper(‘core’)->__(‘Invalid MIME type.’));

      Change to

      public function validate($filePath)
      $fileInfo = getimagesize($filePath);
      if (is_array($fileInfo) and isset($fileInfo[2])) {
      if ($this->isImageType($fileInfo[2])) {
      return null;
      throw Mage::exception(‘Mage_Core’, Mage::helper(‘core’)->__(‘Invalid MIME type.’));

      • MeltingPotWeb

        Thanks, though that is just reverting it to how it was pre-patched. I’ve reported to Magento to release an update.

  • Dan Vince

    Request for please :)

    • Omar

      Did u have please update here also

  • zakir

    Please upload for

  • Alia

    please upload for magento

  • Tere

    Please… for Magento :(

  • Rohit

    can you please tell us how we will patch the third party checkout extension. The file are for magento core module.

  • Purushotam Sharma

    After upload the SUPEE-9767 in, I am getting below error:-
    Fatal error: Call to a member function getRedirectUrl() on a non-object in /app/code/core/Mage/Admin/Model/Session.php on line 130
    when you refresh again on this stage, you can able to see the dashboard.

    if any one have idea please share.

  • http://about.me/neilbradley Neil Bradley

    Request for version 2 of the patch

  • Allen

    Can you please upload the patched version 2 for Mangeto and

  • Sunil Poonia

    please upload for magento

  • koseki g2

    please upload for magento

  • b7itzz

    After installing the patch, we started getting the error below when the customer logs out of their account.

    Invalid method Mage_Core_Model_Session::renewFormKey(Array

    #0 /app/code/core/Mage/Customer/Model/Session.php(311): Varien_Object->__call(‘renewFormKey’, Array)
    #1 app/code/core/Mage/Customer/Model/Session.php(311): Mage_Core_Model_Session->renewFormKey()
    #2 app/code/core/Mage/Customer/Model/Session.php(255): Mage_Customer_Model_Session->_logout()
    #3 /app/code/core/Mage/Customer/controllers/AccountController.php(236): Mage_Customer_Model_Session->logout()
    #4 /app/code/core/Mage/Core/Controller/Varien/Action.php(418): Mage_Customer_AccountController->logoutAction()
    #5 /app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch(‘logout’)
    #6 /app/code/core/Mage/Core/Controller/Varien/Front.php(172): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
    #7 /app/code/core/Mage/Core/Model/App.php(365): Mage_Core_Controller_Varien_Front->dispatch()
    #8 /app/Mage.php(1367): Mage_Core_Model_App->run(Array)
    #9 /index.php(84): Mage::run(”, ‘store’)
    #10 {main}

    • magentary

      There are two possible causes of this error:
      1) patch was applied incompletely or OPcode cache was not flushed
      2) there are local overrides either in code/local/Mage or in one of extensions that rewrites Mage_Core_Model_Session

      To solve it, corresponding override should be patched as well with adding renewFormKey method and OPcode cache should be flushed.

  • Toyin Etiko

    Could you please upload or let us know when you would upload the patch for Thank you

    • Denis

      Also waiting for Thank You.

  • Airsea

    Dear Magentary, first of all, we want to thank you for the excellent contribution given to the community, by providing the patch bundle archive, to install the patches via FTP/File Upload. Please we would like you to provide zip of supee patch – 9767 v2 for Magento version Thanks !

  • Geesala Siva

    after installing the 9767 v2 patch ,shipping method is not working ,and i was unable to proceed to check out .

    • magentary

      You may need to patch theme template files as described in “Enable Form Key Validation On Checkout (optional)” section above.

  • apiah

    Please provide for Magento –

  • rjven

    Waiting for

  • Alan

    Waiting for

  • Krishna

    I had Image Upload problem for product after installing patch SUPEE-9767v2- can anyone help me out …please

  • Laura

    Hi, we’re still on – are any of these versions suitable for us to use? Thanks!

  • EspertoMagento.it

    9767 v2 for Magento ver. I can use Thanks

    • Tom

      This solution works for you ? Thx !

      • EspertoMagento.it

        I haven’t try it yet.

  • Jae Peat

    Hi, I am using and I followed the steps and added all of the files via cpanel FTP.
    After a scan using magreport.com its showing that the patch is not installed.
    I have successful added the security patch 10266 before this so I am not sure if this could be the reason.
    I doubled checked that I had uploaded every file one by one and all have been added.

  • John Elenko
  • magentary

    Please note, that ZIP file above does not revert changes in app/code/core/Mage/Tax/Model/Resource/Calculation.php app/code/core/Mage/Tax/Model/Calculation.php patched in v1 and skipped in v2.

  • magentary

    SUPEE-9767v2 for was recently added to download table