Check out our newest developed Magento 2 Customer Discount More Info

Security Update of Zend Platform Vulnerability

At recent days, we have gather knowledge regarding a serious vulnerability in the Zend Framework on which professionals are creating Magento. With this note, one can get information on how one can easily install and access a patch that addresses this matter.

What the issue is all about?

With vulnerability potentially, an attacker can easily read any file on the web server, where the Zend XMLRPC functionality is facilitated. Some of the important files such as configuration files, password files, and possibly even databases might be included in this, if webmaster are stored on same machine as the Magento web server.

What is the Solution?

According to us, it is best if all Magento implementations are installing the latest patch, which is appropriate for your platform

Magento Enterprise Edition and Professional Edition merchants:

To access, it is advisable to access the Zend Security Upgrade patch from Patches & Support for your product, which is available in Downloads section of your Magento account. It is compulsory to make log-in in your account.

Download

Magento Community Edition merchants:

  • Community Edition 1.4.2.0

  • Community Edition 1.4.0.0 through 1.4.1.1

  • Community Edition 1.5.0.0 through 1.7.0.1

Magento Go

If you are Magento Go customers, you don’t require creating any updates. On the backend, all fixes will be applied mechanically.

Some Instructions regarding Applying the Patch

  1. First of all, you have to go to the root of your Magento root directory: cd /home/mystore/public_html

  2. wget –O patch_name.patch

  3. Now, download the patch from the given link, which is best for your version. You can do this from the Unix command prompt

  4. Apply the patch: patch -p0 < patch_name.patch

Important note:

One can have to applied patch to all the servers, if you are running more than one web server.

Workaround

In case, if you are unable to applied patch, then following instructions are helpful for you for temporarily disable the RPC functionality that contains the vulnerability. If you are implementing this workaround, after that, any integration that relies on the XMLRPC API functionality will no longer supported.

  • Firstly, you have to navigate to the www-root where Magento app files are stored.

  • After that, navigate to /app/code/core/Mage/Api/controllers in the wwwroot

  • Now, for editing, open XmlrpcController.php

  • Then, comment out or delete the body of the method: public indexAction()

  • Lastly, save all changes

Additional Notes

The RPC interface may be monitored by the Users with existing IDS capability for watching the attacks. One of the best ways to secure Magento platform is to maintain an up-to-date installation of the Magento platform.

The suitable patches are incorporate by the latest releases of Magento (Community Edition 1.7.0.2 and Enterprise Edition 1.12.0.2). It is must to use correct versions of releases 1.7.0.2 and 1.12.0.2. In latest releases, you doesn’t get modified Zend library directly in place of that, you will get vulnerable methods within Magento Code by adding two new classes:

  • app/code/core/Zend/XmlRpc/Response.php

  • app/code/core/Zend/XmlRpc/Request.php

They are doing that with an intention of the underlying Zend Framework version 1.11.1 for Magento 1.X. Now, they are planning to upgrade the Zend Framework in Magento in their future releases!!


Author: Harshal Shah

Harshal Shah is CEO & Founder of Xhtmljunkies, Located in Gujarat, India, XHTML Junkies is one of the best companies that offer unique eCommerce solutions by the virtue of its dedicated professionals. Our professionals are extremely proficient in offering development services pertaining to eCommerce. You can find Harshal on and Twitter.

The following two tabs change content below.

Harshal Shah

Harshal Shah is CEO & Founder of Xhtmljunkies, Located in Gujarat, India, XHTML Junkies is one of the best companies that offer unique eCommerce solutions by the virtue of its dedicated professionals. Our professionals are extremely proficient in offering development services pertaining to eCommerce. You can find Harshal on and Twitter.