Magento Blog


Update: Zend Framework Vulnerability Security Update

As some questions have come up, we wanted to provide some clarification to the blog post “Important Security Update – Zend Platform Vulnerability” posted of July, 5, 2012.

As outlined in that post, all Magento merchants on a deployed platform are strongly recommended to protect themselves from the Zend Framework vulnerability.

We have added further instructions on how to protect your business. Please apply the solution below that corresponds to your version of Magento.


Magento Enterprise Edition


  • As best practice, we recommend that all Enterprise Edition merchants upgrade if possible to the latest release (v1.12.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution for you:
YOUR CURRENT VERSION RECOMMENDED SOLUTION
EE 1.12.0.0+ Upgrade to the latest release (Navigate to Downloads > Magento Enterprise Edition > Release - account log-in is required)
EE 1.8.0.0 – 1.11.X.X Apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Enterprise Edition > Patches & Support - account log-in is required)
Versions prior to EE 1.8.0.0 Implement the workaround (instructions below)

Magento Professional Edition


  • All versions of Professional Edition, please apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Professional Edition > Patches & Support - account log-in is required)

Magento Community Edition


  • As a best practice, we recommend that all Community Edition merchants upgrade if possible to the latest release (v1.7.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution:
YOUR CURRENT VERSION RECOMMENDED SOLUTION
CE 1.7.0.0+ Upgrade to the latest release
CE 1.5.0.0 – 1.6.X.X Apply this patch
CE 1.4.2.0 Apply this patch
CE 1.4.0.0 – 1.4.1.1 Apply this patch
Versions prior to CE 1.4.0.0 Implement the workaround (instructions below)

Magento Go


Magento Go customers will not need to make any updates. All fixes will be applied automatically on the backend.



Instructions on Applying the Patch

  • 1. Go to the root of your Magento root directory: cd /home/mystore/public_html
  • 2. wget –O patch_name.patch
  • 3. Download the patch from the provided link appropriate for your version (this line allows you to do it from the Unix command prompt)
  • 4. Apply the patch: patch -p0 < patch_name.patch

*Note that if you are running more than one web server, the patch will need to be applied to all the servers.

Workaround

If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.

Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.

Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Technical Clarification

As some of our experienced community members have discovered, the development fix in CE 1.7.0.2 and EE 1.12.0.2 differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:

  • app/code/core/Zend/XmlRpc/Response.php
  • app/code/core/Zend/XmlRpc/Request.php

We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.

Important Security Update – Zend Platform Vulnerability

We have recently learned of a serious vulnerability in the Zend Framework on which Magento is built. This note provides information on how customers can access and install a patch that addresses this issue.

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

Solution

We recommend that all Magento implementations install the latest patch appropriate for your platform:

  • Magento Enterprise Edition and Professional Edition merchants:
  • You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
  • Download

Workaround

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Additional Notes

Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.

The latest releases of Magento (Community Edition 1.7.0.2 and Enterprise Edition 1.12.0.2) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2 .

Magento Version 1.3.2.4 Security Update

Magento Version 1.3.2.4 is now available. This version includes a security updates for Magento 1.3.x that solves possible XSS vulnerability issue on customer registration page and is available through SVN, Download Page and through the Magento Connect Manager.

If you are using Magento Version 1.3.x we highly recommend upgrading as soon as possible to Magento 1.3.2.4 If you are using the Magento Connect Manager to upgrade, you should only upgrade Mage_All_Latest package. This package will upgrade all the needed packages.

Note: We do NOT recommend upgrading Magento directly on a production environment.

Magento Version 1.1.4 Security Update

Magento Version 1.1.4 is now available. This version includes two security updates for Magento 1.1.x and is available through SVN, Download Page and through the Magento Connect Manager.

If you are using Magento Version 1.1.x we highly recommend upgrading as soon as possible to Magento 1.1.4. If you are using the Magento Connect Manager to upgrade, you should only upgrade Mage_All_Latest package. This package will upgrade all the needed packages.

Note: We do not recommend upgrading Magento directly on a production environment.

The Magento version 1.1.5 release is scheduled for later this month. Version 1.1.5 will include many bug fixes for Magento 1.1.x. We will announce the final date of release as it becomes current. 

Security Update for Magento Base URL Configuration Value

It has come to our attention that under very specific conditions there is a security issue in Magento 1.0 through 1.0.19870 that may cause invalid links to be entered into your block cache.

Installations with correct SSL configuration are NOT affected. 

To prevent any possibility for this problem affecting your installation or to make sure if your copy is not affected, please follow these instructions:

- Login into your Magento admin

- Navigate to: System-> Configurations and select the ‘Web’ tab.

- For every Website and Store view in the ‘Current Configuration Scope’ drop-down (assuming you do not have them set to ‘use default’ or ‘ use website)
Open both Unsecure and Secure sections.

Look for the value of ‘Base URL’. if this field does not contain {{base_url}}, you are not affected, and there is no need to do anything else. If you see {{base_url}} you need to replace this value with full base URL of your store (e.g. http://www.somedomain.com) which includes your full domain you wish to use with Magento.

You DO NOT need to change any other configuration values that contain {{unsecure_base_url}} and {{secure_base_url}}, such as Base Link URL, Base Skin URL, Base Media URL and Base JavaScript URL.

Vulnerable configuration:

image


Correct configuration:

image

If you had to update your configuration as described above, please go to System > Cache management and refresh all caches.

We are currently working on a patch that will validate that {{base_url}} is not used and will warn the admin user if it still exists. We are also updating the install process of Magento to solve this issue for new installations.

Page 1 of 1

RSS: All Blog Posts

Get New Posts by Email


Delivered by FeedBurner