Magento

Hi there.
I recently got an important message in the backend of my magento store through which i was informed about a new discovered vulnerability of the zend platform.
I clicked the link and read all the information about it,but i dont understand exactly how to apply the patch provided there.

Can someone make it a bit more clear ?

Have you read this? http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/

Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

Chendo - 05 July 2012 12:02 PM

Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

For you, I would suggest just doing the workaround. The end result is the same thing

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

kab8609 - 05 July 2012 12:06 PM

Chendo - 05 July 2012 12:02 PM

Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

For you, I would suggest just doing the workaround. The end result is the same thing

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

Ok,thanks. Do you know what features will be affected by this change?

HolDenWagenHarry - 05 July 2012 12:16 PM

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

public indexAction()
{
DELETE THIS CODE INSIDE THE BRACKETS
}

Chendo - 05 July 2012 12:17 PM

Ok,thanks. Do you know what features will be affected by this change?

If you are doing the workaround, API features may be affected. I would suggest upgrading to 1.7.0.2 at your earliest convenience.

kab8609 - 05 July 2012 12:18 PM

HolDenWagenHarry - 05 July 2012 12:16 PM

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

public indexAction()
{
DELETE THIS CODE INSIDE THE BRACKETS
}

THANKS!!!

From what I understand implementing the patch won’t result in the API not working.  So back to the original post....how can you install this patch (I don’t have shell access).

Or could someone upload the patched files which could just be uploaded to our server? (version 1.7.0.1)

Thanks!

Thanks kab8609 for the fast easy fix

One newbie question, if I open http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch file I see two references:

lib/Zend/XmlRpc/Response.php
lib/Zend/XmlRpc/Request.php

Do you think that is best to apply the patch with this instructions?
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/magento_tutorial_-_how_to_apply_a_patch

Or is the same as you say for fix this security breach?

Thanks!!!

If you guys are both on v1.7.0.1 why not upgrade to v1.7.0.2 since the patch is already on it?

kab8609 - 05 July 2012 12:37 PM

If you guys are both on v1.7.0.1 why not upgrade to v1.7.0.2 since the patch is already on it?

I am using 1.6.2.0 :-(

kek0 - 05 July 2012 12:30 PM

Thanks kab8609 for the fast easy fix


Do you think that is best to apply the patch with this instructions?
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/magento_tutorial_-_how_to_apply_a_patch

Or is the same as you say for fix this security breach?

Thanks!!!

This link is what we needed! Instructions on how to install a patch!

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

kab8609 - 05 July 2012 12:44 PM

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

wow!! thank you so much for your help and for your collegue Mark Shust :D