Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 3
Zend’s vulnerability patch
 
Chendo
Sr. Member
 
Total Posts:  109
Joined:  2011-11-01
 

Hi there.
I recently got an important message in the backend of my magento store through which i was informed about a new discovered vulnerability of the zend platform.
I clicked the link and read all the information about it,but i dont understand exactly how to apply the patch provided there.

Can someone make it a bit more clear ?

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 

Have you read this? http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/

 
Magento Community Magento Community
Magento Community
Magento Community
 
Chendo
Sr. Member
 
Total Posts:  109
Joined:  2011-11-01
 

Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 
Chendo - 05 July 2012 11:02 AM

Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

For you, I would suggest just doing the workaround. The end result is the same thing

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

 
Magento Community Magento Community
Magento Community
Magento Community
 
HolDenWagenHarry
Jr. Member
 
Total Posts:  19
Joined:  2009-12-22
 
kab8609 - 05 July 2012 11:06 AM

Chendo - 05 July 2012 11:02 AM
Yes,but i didnt undestood it too good.
I understand ‘the solution’ being different than the “workaround”. I do understand the workaround cause it’s clear,but i dont know what’s up with that patch and what should i do with it.

For you, I would suggest just doing the workaround. The end result is the same thing

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Chendo
Sr. Member
 
Total Posts:  109
Joined:  2011-11-01
 

Ok,thanks. Do you know what features will be affected by this change?

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 
HolDenWagenHarry - 05 July 2012 11:16 AM

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

public indexAction()
{
DELETE THIS CODE INSIDE THE BRACKETS
}

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 
Chendo - 05 July 2012 11:17 AM

Ok,thanks. Do you know what features will be affected by this change?

If you are doing the workaround, API features may be affected. I would suggest upgrading to 1.7.0.2 at your earliest convenience.

 
Magento Community Magento Community
Magento Community
Magento Community
 
HolDenWagenHarry
Jr. Member
 
Total Posts:  19
Joined:  2009-12-22
 
kab8609 - 05 July 2012 11:18 AM

HolDenWagenHarry - 05 July 2012 11:16 AM

But what does “ delete the body of the method: public indexAction()” mean? Which parts of code should one delete?

public indexAction()
{
DELETE THIS CODE INSIDE THE BRACKETS
}

THANKS!!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
a1anm
Guru
 
Total Posts:  318
Joined:  2009-10-08
 

From what I understand implementing the patch won’t result in the API not working.  So back to the original post....how can you install this patch (I don’t have shell access).

Or could someone upload the patched files which could just be uploaded to our server? (version 1.7.0.1)

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sergio Alfaro
Jr. Member
 
Avatar
Total Posts:  28
Joined:  2010-03-06
 

Thanks kab8609 for the fast easy fix grin

One newbie question, if I open http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch file I see two references:

lib/Zend/XmlRpc/Response.php
lib/Zend/XmlRpc/Request.php

Do you think that is best to apply the patch with this instructions?
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/magento_tutorial_-_how_to_apply_a_patch

Or is the same as you say for fix this security breach?

Thanks!!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 

If you guys are both on v1.7.0.1 why not upgrade to v1.7.0.2 since the patch is already on it?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sergio Alfaro
Jr. Member
 
Avatar
Total Posts:  28
Joined:  2010-03-06
 
kab8609 - 05 July 2012 11:37 AM

If you guys are both on v1.7.0.1 why not upgrade to v1.7.0.2 since the patch is already on it?

I am using 1.6.2.0 :-(

 
Magento Community Magento Community
Magento Community
Magento Community
 
buzbuzzer
Jr. Member
 
Total Posts:  29
Joined:  2008-11-24
 
kek0 - 05 July 2012 11:30 AM

Thanks kab8609 for the fast easy fix grin


Do you think that is best to apply the patch with this instructions?
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/magento_tutorial_-_how_to_apply_a_patch

Or is the same as you say for fix this security breach?

Thanks!!!

This link is what we needed! Instructions on how to install a patch!

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sergio Alfaro
Jr. Member
 
Avatar
Total Posts:  28
Joined:  2010-03-06
 
kab8609 - 05 July 2012 11:44 AM

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

wow!! thank you so much for your help and for your collegue Mark Shust :D

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 3