At recent days, we have gather knowledge regarding a serious vulnerability in the Zend Framework on which professionals are creating Magento. With this note, one can get information on how one can easily install and access a patch that addresses this matter.
What the issue is all about?
With vulnerability potentially, an attacker can easily read any file on the web server, where the Zend XMLRPC functionality is facilitated. Some of the important files such as configuration files, password files, and possibly even databases might be included in this, if webmaster are stored on same machine as the Magento web server.
What is the Solution?
According to us, it is best if all Magento implementations are installing the latest patch, which is appropriate for your platform
Magento Enterprise Edition and Professional Edition merchants:
To access, it is advisable to access the Zend Security Upgrade patch from Patches & Support for your product, which is available in Downloads section of your Magento account. It is compulsory to make log-in in your account.
Magento Community Edition merchants:
Community Edition 220.127.116.11
Community Edition 18.104.22.168 through 22.214.171.124
Community Edition 126.96.36.199 through 188.8.131.52
If you are Magento Go customers, you don’t require creating any updates. On the backend, all fixes will be applied mechanically.
Some Instructions regarding Applying the Patch
First of all, you have to go to the root of your Magento root directory: cd /home/mystore/public_html
wget –O patch_name.patch
Now, download the patch from the given link, which is best for your version. You can do this from the Unix command prompt
Apply the patch: patch -p0 < patch_name.patch
One can have to applied patch to all the servers, if you are running more than one web server.
In case, if you are unable to applied patch, then following instructions are helpful for you for temporarily disable the RPC functionality that contains the vulnerability. If you are implementing this workaround, after that, any integration that relies on the XMLRPC API functionality will no longer supported.
Firstly, you have to navigate to the www-root where Magento app files are stored.
After that, navigate to /app/code/core/Mage/Api/controllers in the wwwroot
Now, for editing, open XmlrpcController.php
Then, comment out or delete the body of the method: public indexAction()
Lastly, save all changes
The RPC interface may be monitored by the Users with existing IDS capability for watching the attacks. One of the best ways to secure Magento platform is to maintain an up-to-date installation of the Magento platform.
The suitable patches are incorporate by the latest releases of Magento (Community Edition 184.108.40.206 and Enterprise Edition 220.127.116.11). It is must to use correct versions of releases 18.104.22.168 and 22.214.171.124. In latest releases, you doesn’t get modified Zend library directly in place of that, you will get vulnerable methods within Magento Code by adding two new classes:
They are doing that with an intention of the underlying Zend Framework version 1.11.1 for Magento 1.X. Now, they are planning to upgrade the Zend Framework in Magento in their future releases!!