Important Magento Security Update – Zend Platform Vulnerability

We have recently learned of a serious vulnerability in the Zend platform on which Magento is built. This note provides information on how customers can access and install a patch that addresses this issue.

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

Solution

We recommend that all Magento implementations install the latest patch appropriate for your platform:

Magento Enterprise Edition and Professional Edition merchants:
You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
Download

Magento Community Edition merchants:
Community Edition 1.4.0.0 through 1.4.1.1
Community Edition 1.4.2.0
Community Edition 1.5.0.0 through 1.7.0.1

Applying the patch via SSH

Here is an example as to how to apply the patch file via SSH for a 1.4 store

cd /home/mystore/public_html
wget -qO - http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch | patch -p0 

Applying the patch by replacing the file

If you are unsure as to how to patch the files using the command line, we have pre-patched the files for the relevant version for your convenience, so you can download the file and replace as effected. We cannot upload the Enterprise patch – but if you get in touch, we would be glad to help.

Community Edition 1.4.0.0 through 1.4.1.1
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Community Edition 1.4.2.0
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Community Edition 1.5.0.0 through 1.7.0.1
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Please note. This is only suitable if you haven’t made any modifications to this file.

Workaround

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

Additional Notes

Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.

The latest releases of Magento (Community Edition 1.7.02 and Enterprise Edition 1.12.02) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2 .

  • macrecord

    Thanks, patch for 1.7 apply!
    :-D

  • Lisa

    Many thanks for posting this – and unlike the official Magento website, actually explaining HOW to patch the files without SSH access. Much appreciated! :)

  • Pingback: Parche de seguridad en Magento muy importante - Blog de Sergio Alfaro Lloret | eCommerce, Geek, Serieadicto y Otaku

  • http://www.facebook.com/symonbuenavista Sy Buenavista

    how can i know if i patch it right? i recently did the patch at magento 1.6 however the message ”
    Important Security Update – Zend Platform Vulnerability” is still showing in admin panel

  • http://www.tennis-artikelen.nl/tennistas.html Tennistas

    That message has nothing to do with whether you have did the patch or not. So if you did the patch you should be allright. The message a default message.

  • cattt

    Thanks a LOT for the pre-patched files!! Love you huys!!

  • sonassi

    That message will show regardless of patch status.

    You know if the patch completed successfully if you ran the patch via command line and it showed the two file names without error. You can actually go to run the patch again – and it will ask you to remove the patch (if it has been applied) – then just press Ctrl + C to cancel.

  • sonassi

    You know if the patch completed successfully if you ran the patch via
    command line and it showed the two file names without error. You can
    actually go to run the patch again – and it will ask you to
    remove the patch (if it has been applied) -
    then just press Ctrl + C to cancel.

  • Woodford

    Cheers guys this is great. Saved a bunch of time and money.

  • James Hopkinson2

    Thanks very much for providing the patched files.  For those of us without shell access these are a must.  Thanks again.

  • http://twitter.com/1984debasis Debasis Chakraborty

    when i tried to apply via SSH in magento1.5  shows
    2 out of 2 hunks FAILED — saving rejects to file lib/Zend/XmlRpc/Response.php.rej
     

  • sonassi

    Sounds like you used the wrong patch file then. Or that you have modified those files and its having trouble matching lines to make amendments

  • http://twitter.com/sagerock Sage Lewis

    This is really great. Thank you!

  • http://www.facebook.com/ollygoldstein Olly Goldstein

    Thanks for patched files – so helpful for those without shell access

  • sonassi

    Read the instructions in the post.

  • sonassi

    You know if the patch completed successfully if you ran the patch via command line and it showed the two file names without error. You can actually go to run the patch again – and it will ask you to remove the patch (if it has been applied) – then just press Ctrl + C to cancel.

  • Pingback: Wichtiges Sicherheitsupdate der Zend Plattform | Mag-tutorials.de

  • James Oliver

    Where are these files located on my server? ./lib/Zend/XmlRpc/Request.php
    ./lib/Zend/XmlRpc/Response.php

  • Icky_Thump

    FINALLY! Thank you all so much. For those of us who are SSH-less or SSH ignorant/intimidated, I glad to finally find someone to provide a different means to achieve this. I hope my adventure into Magento-land is not SSH centric!

  • Matt

    I get the following response when I attempt to apply the patch via SSH. Any suggestions?

    Attempting to create directory /home/verypa5/perl5
    -bash-3.2$ cd /home/mystore/public_html
    -bash: cd: /home/mystore/public_html: No such file or directory
    -bash-3.2$ wget -qO – http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch | patch -p0
    can’t find file to patch at input line 5
    Perhaps you used the wrong -p or –strip option?
    The text leading up to this was:
    ————————–
    |Index: lib/Zend/XmlRpc/Response.php
    |===================================================================
    |— lib/Zend/XmlRpc/Response.php (revision 157103)
    |+++ lib/Zend/XmlRpc/Response.php (working copy)
    ————————–
    File to patch:

  • Pingback: VIGTIGT! Magento Sikkerheds brist!