Magento Blog

Important Security Update – Zend Platform Vulnerability

We have recently learned of a serious vulnerability in the Zend Framework on which Magento is built. This note provides information on how customers can access and install a patch that addresses this issue.

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.


We recommend that all Magento implementations install the latest patch appropriate for your platform:

  • Magento Enterprise Edition and Professional Edition merchants:
  • You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
  • Download


If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Additional Notes

Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.

The latest releases of Magento (Community Edition and Enterprise Edition incorporate the appropriate patches. please use correct versions of releases and .

Magento Community Edition Released!

We have just released an updated version of Magento Community Edition, version This update delivers new, minor functionality and fixes for some potential security vulnerabilities.

Major highlights and improvements include:

  • Improved backend configuration UI for PayPal payment solutions
  • Added functionality for creating nested field sets in the System configuration
  • Implemented support for the extended and shared configuration fields
  • Added the ability to define dependencies between fields from different field sets
  • Fixed some potential security vulnerabilities

Check out our full list of features and fixed issues on our release notes page. Or take the software for a test drive and see how it works first hand. Diff files are available here. If you find any issues, be sure to report them in the bugtracker.


The Magento REST API: A Better Way to Integrate Business Applications


Merchants have been asking for a fast and secure way to integrate more business applications within Magento. We’ve met this request by introducing the Magento REST API as part of the Magento Enterprise 1.12 and Community 1.7 releases.

Noteworthy benefits of the REST API include simplicity, ease of testing and troubleshooting, and better performance. It allows you to manage customers, customer addresses, sales orders, inventories and products using HTTP verbs such as GET, POST, PUT and DELETE. Data requests and responses can be in XML or JSON format.

REST Resources

REST resources are simply the entities or identities that are exposed to the developer. REST defines the identity of the resource via the URI (uniform resource identifier). Each resource has a unique URL address and any interaction with a resource takes place at its URI. The following resources are supported in CE

  • Products: Allows you to retrieve the list of products, create a simple product, and update or delete a product.
  • Product Categories: Allows you to retrieve the list of categories assigned to a product and assign or unassign a category to a product.
  • Product Websites: Allows you to retrieve the list of websites assigned to a product and assign or unassign a website to a product
  • Customers: Allows you to retrieve the list of customers and create, update, or delete a customer.
  • Customer Addresses: Allows you to retrieve the list of customer addresses, and create, update, or delete an address.
  • Inventory: Allows you to retrieve the list of stock items and update a stock item.
  • Sales Orders: Allows you to retrieve the list of sales orders and specific order information.
  • Sales Order Items: Allows you to retrieve the items for a specific order.
  • Sales Order Addresses: Allows you to retrieve billing and shipping addresses for an order.
  • Sales Order Comments: Allows you to retrieve comments for a specific order.

Preparing to Use REST API with Magento

From the Magento store admin panel:

  • Set up permissions to operate with resources for the three different user types: admin, customer, and guest. The admin is the backend logged-in user, the customer is the frontend logged-in user, and the guest is a non-logged-in frontend user.
  • Configure which attributes will be allowed to retrieve or update for the different user types
  • Register the third-party application (setting up consumer) and provide the information to the third-party application.

For a more detailed explanation with sample data, check out our wiki page. As always, we welcome your feedback and are eager to help with any issues you may encounter. Please use our bug tracker and choose the Webservices API from the Category selection.

Magento Enterprise 1.12 and Community 1.7 Now Available!


We’re pleased to announce the latest Magento releases: Magento Enterprise 1.12 and Community 1.7. The recent enhancements to our powerful eCommerce offerings help merchants provide a more personalized shopping experience for their customers.

Benefits include easier order placement, mobile optimization and multiple wish lists. These enhancements give merchants greater potential to boost consumer engagement, increase conversions and transaction size, and foster brand loyalty.

All merchants, including those running B2B businesses, can take advantage of improved customer segmentation and ordering capabilities. While those operating in Europe can use our new features to stay compliant with EU regulations.

Of course, our latest releases have lots in store for developers too, including a new API, and backup and rollback systems.

Read on to learn about the key features in our new releases and how they can benefit you.


Mobile HTML5

Quickly and easily create a storefront optimized for mobile devices so customers can shop even when they’re on the go. This mobile interface uses HTML5 technology and supports iPhone, Android and Mobile Opera browsers. It includes out-of-the-box features such as:

  • Device-specific media capabilities for audio and video
  • User-friendly search and results display
  • Clean display of product detail pages
  • Pinch, multi-touch and scaling images
  • Easy swipe between product images
  • Zoom capabilities
  • Cross-sell and up-sell capabilities
  • Drag-and-drop of products to the shopping cart

Visitor Segmentation

Tap into a whole new customer segment – unknown site visitors. Whether they’re new visitors or returning customers who have not logged in, you’ll now be able to identify and target them with special promotions to convert browsers into buyers.

Expanded Rule-based Product Relations

Our rule-based product-relations functionality allows merchants to target specific customer segments with product recommendations. Pinpoint specific customers with up-sells, cross-sells and related products to create a more relevant shopping experience.

Auto-generation of Coupon Codes

Generate a set of unique coupon codes for each promotion you run and export the list of codes for offline distribution, email, newsletters and more. Easily manage and monitor coupon usage and generate detailed reports.

Multiple Wish Lists

Customers can save products to multiple wish lists and copy or move items from list to list. They can make their wish lists public so they’re searchable by anyone. And merchants can review them to learn about their customers’ wants and needs.

Layered Navigation Pricing Enhancement

We’ve introduced a new set of algorithms for price-layered navigation that provides much greater flexibility. Now you can display a range of prices that is based on having a similar number of products within each range, giving you better control of your customers’ search results, and helping your customers find what they’re looking for faster.

Customer Group Pricing

One price doesn’t always fit all. This tool allows you to create different price points for different customer groups, such as wholesalers and retailers. You can determine both base price and tiered price levels.

Add to Cart by SKU

Streamline the ordering process, especially for B2B customers, by enabling them to enter a list of SKUs without having to go into product pages. This simplifies large orders, recurring orders and ordering based on offline catalogs.

REST APIs Support

The new Magento REST API uses three-legged OAuth 1.0a protocol to allow applications to safely access Magento services. What this means for you? You can manage customers, customer addresses, sales orders, inventories and products using HTTP verbs (GET, POST, PUT, DELETE). Data requests and responses can be in XML or JSON format.

This initial version of the REST API supports the following functions:

  • Create/Retrieve/Update/Delete a simple product
  • Retrieve a list of orders and specific order information
  • Update/Retrieve catalog inventory
  • Create/Retrieve/Update/Delete complete customer information

European Union VAT-ID Validation

This feature facilitates the tax collection process for online businesses in the EU and greatly simplifies international B2B transactions by automatically applying the correct tax rules. Taxes can be calculated and charged according to VAT customer groups, based on customer shipping or billing addresses and VAT IDs.

EU Cookie Restriction

Our response to the recent EU Privacy and Electronic Communications Directive? A new cookie notification feature that simplifies the compliance process. Once enabled, a message at the top of the storefront informs site visitors about the cookie policy and prompts them to accept or decline.

CMS Page Hierarchy Enhancements

Managing your CMS hierarchy tree just got easier. Now you can add CMS pages to the navigation menu without custom development. You can also create, copy or delete different CMS hierarchy trees for each website and store view individually or en masse..

Backup and Rollback

Manage and schedule a variety of backup operations with the option to rollback the changes to reverse any modifications. This feature is particularly useful when testing new modules or customizations, or when upgrading to a new version of Magento. You can review specific customizations and their impact on the new code. (We do not recommend using this feature in your production environment.)

Three types of backup are supported:

  • System Backup
  • Database Backup
  • Database and Media Backup

Payment Bridge 1.1 Updates

Magento Secure Payment Bridge, our PA-DSS certified payment application, adds multiple new payment methods. In addition to our existing supported gateways – PayPal, and Payflow Pro – we are introducing support for the following new gateways:

  • Psi Gate
  • RBS Worldpay
  • Database and Media Backup
  • Braintree
  • First Data
  • Card Gate Plus
  • DIBS
  • eWay Direct
  • Ogone Directlink
  • Paybox
  • Payone
  • Sage Pay
  • CCAvenue

Supported by services provided by Braintree or, customers can also securely save their credit card information for future transactions in a “My Credit Cards” section in “My Account.” And with support from Kount, you can integrate fraud-screening services with your payment methods (requires separate agreement with Kount).



Now you can enable CAPTCHA functionality on your site to help prevent automated software from attempting fake logins. This auto-generated test ensures that the login is being attempted by a person and can be enabled in both the admin and customer login areas.


Ready to take your business to the next level? Contact us and we’ll help you get started.

If you’re already a Magento Enterprise customer, you can immediately access the new 1.12 release in the My Account section. And developers can access the new Community edition by clicking here.

We hope you enjoy these new features and look forward to helping you achieve greater eCommerce success.

Magento Preview Version CE - Now Available!

We are excited to announce the release of Magento Community Preview Version CE

Before you begin downloading this preview version of our latest Community software from our download page or via SVN, we need to stress that it’s likely unstable and that we DON’T recommend that you use it in any production environment just yet. (For more info about preview releases and the Community edition release process click here.)

Highlights of improvements and new features include:

  • Different base prices for customer groups
  • Automatic generation of multiple coupon codes for a single promotion
  • Backup and Rollback functionality
  • CAPTCHA functionality to reduce spam registrations
  • First version of REST APIs with support for:

    • -Creation, retrieval, update and deletion operations for simple products
    • -Retrieval of a list of orders as well as specific order information
    • -Update and retrieval operations for catalog inventory
    • -Creation, retrieval, update and deletion operations with complete customer information and customer address information
    • -More information on the REST APIs will be published soon
  • Updates and enhancements to the existing SOAP and XML-RPC APIs with introduction of new API calls
  • VAT ID validation for B2B sales in Europe
  • New price range layered navigation algorithm
  • HTML5 based theme for mobile devices

And that’s just the beginning. Check out our full list of features and fixed issues on our release notes page. Or take the software for a test drive and see how it works first hand. Diff files are available here. If you find any issues, be sure to report them in the bugtracker.


Automate Your Testing with the Magento Test Automation Framework


Testing. Testing. Are you there? Good. Now that we’ve got your attention, we want to tell you about the new Magento Test Automation Framework, or TAF for short.

This software package is ideal for running repeated functional tests against a normally installed Magento application. And if you’re a developer or QA specialist, you’re in for a treat. You can quickly develop all kinds of tests for the current Magento version without having to tediously build an automation infrastructure.

Besides running repeated tests, Magento TAF can also be used to create tests and write test automation scripts. Test automation scripts created within the framework can be used for testing most Magento functionality. And we’re constantly updating the Selenium-based framework to cover even more tests and meet users’ broad needs.

In this latest release of the framework, we’ve introduced a robust set of new tests and capabilities:


1000 Functional Tests

We’ve created a comprehensive Smoke Test Suite that evaluates the full range of functionality of the Magento Community Edition. This suite covers all test cases that are run during Magento nightly builds and tested by our development team. And it’s designed specifically for developers to use and expand upon.

Error Screenshot Capture

Test failure errors happen. And when they do, Magento TAF captures and stores screenshots of any open pages in .png and html formats in the tmp/screenshot folder. If a JavaScript error occurs, the screenshot is captured and stored in the .png format. And Markup errors are captured and stored in the html format. The failed test name contains the class name, test name and a timestamp, this way it’s easy to retrieve the screenshot. And the full path to the screenshot is stored in a log next to the error message so it can be accessed directly.

Unlimited UI Testing

With Magento TAF, you can test as many UI areas as you’d like. This comes in especially handy when testing several store views or stores utilizing different designs. Each store – or store view – can have a unique UI map but operate with the original set of tests. This removes nesting and naming restrictions for UI map folders and allows users to organize them as they wish.

The UI areas can be determined in the local.yml file for each url to be used by Magento TAF. Based on user-defined urls, Magento TAF automatically detects which set of UI maps should be used and loads the relevant descriptors for the current page. With this enhancement, the tester doesn’t have to worry about switching between UI areas within the test body. Users can declare separate UI maps for non-Magento side services specific to their store and write tests in the same way they’re written for Magento services.

See the Installation Guide under “Example of config.yml File” for an example of a UI map area declaration. Please note, before your first run, search for the ‘YOUR CREDENTIALS’ string within the data folder and update that value with your account credentials.

Magento TAF’s newest features help take the task out of testing. And, even though it just came down the product pipeline, it’s already been adopted and put to good use by many developers. In fact, we have to give a virtual fist pump to Kristof Ringleff from Fooman and Nick Jones (punkstar) from Meanbee for all their contributions.

To download the Magento TAF, go to the Magento Test Automation Framework section at the bottom of this page:


If you’d like to read the complete repository, installation and configuration guidelines, check them out at:


2/1/2012: Celebrating Success and Looking Forward

image image

2011: New Records, New Opportunities

Just a month ago, we celebrated the end of our greatest year yet, a year in which we celebrated countless milestones, highlights of which include:

  • Our first global conference, Imagine eCommerce, which sold out and earned 100% favorability ratings from attendees
  • The launch of Magento Go, our hosted solution for small and micro merchants
  • The 3 millionth download of the free, groundbreaking Magento Community software
  • The hiring of our 300th employee
  • Our acquisition by eBay, Inc. and the creation of X.commerce
  • The launch of Magento U and Magento Developer Certification
  • The introduction of Magento Enterprise v1.11, our most powerful and sophisticated offering to date
  • The growth of our Solution Partner Network to 330 partners
  • Surpassing the 5,000 extension milestone on Magento Connect
  • The launch of the New Magento Connect, including extensions for Magento Go


2012: Momentum and Acceleration

In true Magento style, we’re planning for even greater growth in 2012. And the year is already off to an incredible start:

  • This week, our 400th employee joined the organization, another remarkable milestone in Magento’s growth
  • The momentum behind Magento Enterprise continues to accelerate, as thousands more world-class merchants discover the unique benefits of our platform and ecosystem
  • Tickets and sponsorships for the 2nd Imagine conference (Las Vegas, April 23rd – 25th) are selling at a breakneck pace (in fact, we expect to be sold out very soon, well ahead of the event)
  • And we’re seeing tremendous demand for our recently-introduced Magento Enterprise Premium offering, which combines multi-year, multi-server licenses with a package of premium services to create the optimal solution for large-scale implementations


Product Line-Up: Focusing on Growth

Magento has always been focused on growth – specifically, the growth of our customers’ businesses and the growth of the ecosystem that supports their success. By focusing on what’s most important to our customers, we’ve helped transform the eCommerce landscape in just a few short years.

We are committed to continuous evaluation and innovation of our product portfolio to ensure our customers remain competitive and win in their markets. Following an extensive review of our current solutions and projected customer needs, we are making an important change: we are phasing out the Magento Professional Edition.

While Magento Professional was embraced by a significant number of merchants, we have seen much greater demand for our Enterprise. and new Enterprise Premium offerings. This tells us that more of our mid-large size customers want the benefits offered by these comprehensive solutions.

Phasing out Magento Professional will allow us to focus our efforts and investments on enhancing our Magento Enterprise and Enterprise Premium solutions, as well as on our Community project and our hosted solution, Magento Go.

There will be no immediate impact to current customers on Magento Professional. We will be working with our Professional customers individually to provide various options for continuing their eCommerce success with Magento.


What’s Next?

The Magento milestones keep coming, and the next several months will be filled with exciting news and announcements from our company and our ecosystem.

Many of these announcements will be made at the Imagine Conference. But plenty of additional news will be announced both before and after Imagine. Highlights include:

  • The launch of our Magento Certified Developer online directory, the easiest way to locate the world’s most qualified Magento developers
  • New releases across our product line
  • Integrations with exciting products from the X.commerce ecosystem
  • More growth, more customer success, more partnerships

We’re looking forward to working with our customers and partners on making 2012 a truly memorable year. Our thanks to the entire Magento community for your ongoing enthusiasm and support.

Introducing Magento Enterprise Premium!


We have just launched the Magento Enterprise Premium package, the ultimate packaged solution for large-scale eCommerce implementations. This package has been tailored specifically for large-scale eCommerce implementations that need the scale, expertise and support necessary to run a high volume business.

Here are the components we are pleased to offer, as part of this new, premium solution:

  • Multiple Magento Enterprise licenses - 2 production and 1 development license
  • Platinum level SLA Magento Support with live 24x7 phone support
  • Magento Expert Consulting - architectural advisory and comprehensive code review dedicated to your business needs
  • Training course “eCommerce with Magento”

With this new package, merchants get the advantage of the best-in-class features of Magento Enterprise, such as multi-store fronts with a single admin interface, persistent shopping cart, RMA, private sales, marketing and merchandising tools and so much more, all with the added support, consulting, training and scalability to meet the needs of your eCommerce business.

We are very excited to offer this and invite you to learn more about this new, premium offering.

-The Magento team

RSS: All Blog Posts

Get New Posts by Email

Delivered by FeedBurner