Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 2 of 3
Zend’s vulnerability patch
 
Display_Wizard
Jr. Member
 
Total Posts:  15
Joined:  2011-02-05
Garstang
 
kab8609 - 05 July 2012 11:44 AM

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

I’m using Magento 1.5.1.0 with a highly customised theme and a quote a few third party extension. Will applying this patch cause any issues / break anything?

I’m assuming if I want to apply it using this:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

I just navigate to my base folder (where the app, lib, media, skin etc folders are) using SSH then run the above command?

Thanks in advanced

 
Magento Community Magento Community
Magento Community
Magento Community
 
kab8609
Enthusiast
 
Avatar
Total Posts:  821
Joined:  2009-04-07
Cleveland
 

Realistically you want to try this on your development server first before pushing the code to production.

I can’t tell you if there is an extension conflict because I don’t know what extensions you have.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Imi78
Jr. Member
 
Total Posts:  27
Joined:  2012-02-11
 
kab8609 - 05 July 2012 11:44 AM

Do you have SSH access? If so just run the command from your base folder:

wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch

Props to my colleague https://twitter.com/#!/markshust

Hi,

i did this line per ssh and got this message:

(00:51:44) [magento] wget tinyurl.com/MAGE1702 && patch -p0 -i CE_1.5.0.0-1.7.0.1.patch
--2012-07-06 00:51:52-- http://tinyurl.com/MAGE1702
Resolving tinyurl.com… 195.66.135.250, 195.66.135.248
Connecting to tinyurl.com|195.66.135.250|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch [following]
--2012-07-06 00:51:52-- http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch
Resolving www.magentocommerce.com… 209.15.239.51
Connecting to www.magentocommerce.com|209.15.239.51|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2077 (2.0K) [text/plain]
Saving to: “MAGE1702”

100%[======================================>] 2,077 --.-K/s in 0s

2012-07-06 00:51:52 (65.7 MB/s) - “MAGE1702” saved [2077/2077]

patch: **** Can’t open patch file CE_1.5.0.0-1.7.0.1.patch : No such file or directory

Seems like it downloaded the patch but didnt execute it?

So i did: 

patch -p0 -R -i MAGE1702

cause it looks like the “MAGE1702” file seems to be the patch. But then i got this:

patching file lib/Zend/XmlRpc/Response.php
Unreversed patch detected!  Ignore -R? [n] n
Apply anyway? [n] n
Skipping patch.
2 out of 2 hunks ignored—saving rejects to file lib/Zend/XmlRpc/Response.php.rej
patching file lib/Zend/XmlRpc/Request.php
Unreversed patch detected!  Ignore -R? [n] n
Apply anyway? [n] n
Skipping patch.
1 out of 1 hunk ignored—saving rejects to file lib/Zend/XmlRpc/Request.php.rej

Where i denied to ignore.

Whats to do??

ImI

 
Magento Community Magento Community
Magento Community
Magento Community
 
Klaus M Brantl
Jr. Member
 
Avatar
Total Posts:  6
Joined:  2010-11-16
München
 

I’m a little confused about the patch and the upgrade.

So I wanted to check this first on my test-machine:
a) I’ve upgraded a test-installation from 1.7.0.0 to 1.7.0.2 via the connect manager
b) I’ve an “old” installation with 1.6.2.0

I did not apply the patch and just wanted to see how those to files mentioned in the patch are different between 1.6.2.0 and 1.7.0.2.
They are not!

Both lib/Zend/XmlRpc/Response.php and lib/Zend/XmlRpc/Request.php are identical in those two versions.

I had another Test-Installation with 1.7.0.1 that I upgraded to 1.7.0.2. Same here.

I’ve downloaded magento-1.7.0.2.tar.bz2 and compared those two files to the 1.6.2.0-version of magento. They are the same as in 1.6.2.0.

They claim that the patches are included:

http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/
The latest releases of Magento (Community Edition 1.7.02 and Enterprise Edition 1.12.02) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2 .

So there are only two possibilities here:
a) They did something wrong with the packaging
b) The patches for the complete core are different then the ones mentioned in the blogpost.

How can we find this out?

PS: I’ve added a bug-report too: http://www.magentocommerce.com/bug-tracking/issue?issue=13901

 
Magento Community Magento Community
Magento Community
Magento Community
 
Radweb
Jr. Member
 
Avatar
Total Posts:  15
Joined:  2009-04-19
Portsmouth, United Kingdom
 

Hi,

I think I have successfully applied the patch to CE 1.5 - CE 1.7

I have attached the two modified files if anyone wants to give them a try - this is for CE 1.5 - 1.7 patch and applied it to Magento CE 1.6.2

Everything seems to be fine so far smile

File Attachments
Magento Patch CE 1.5-1.7.zip  (File Size: 5KB - Downloads: 221)
 
Magento Community Magento Community
Magento Community
Magento Community
 
jaw041099
Jr. Member
 
Total Posts:  4
Joined:  2012-06-29
 

Hi all.

Excuse my ignorance, I was running 1.7 and upgraded through magento connect today, does this patch get upgraded through the upgrades in magento connect, or do I need to do it aswell.

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
MattStephens
Sr. Member
 
Avatar
Total Posts:  152
Joined:  2011-07-12
United Kingdom
 

Klaus M Brantl, perhaps they were cautious with the versioning on the error report as to ensure everyone checks, just in case.

I can confirm I have a 1.5.1 version, and the patch has now been applied. Although, I’m not sure why the comment for a file include has been left in the patch update version changes.

Matt

 
Magento Community Magento Community
Magento Community
Magento Community
 
abhimanyurana
Jr. Member
 
Total Posts:  10
Joined:  2011-12-25
 

Thanks Danek. That was a good link. I have patched the system, hopefully we are secure now.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sonassi
Sr. Member
 
Avatar
Total Posts:  217
Joined:  2009-05-20
Manchester, UK
 

We’ve wrote instructions on how to apply the patch and provided a series of pre-patched files for each release (exlc. Enterprise - you’ll need to contact us for that)

You can find it here http://www.sonassi.com/knowledge-base/magento-kb/important-magento-security-update-zend-platform-vulnerability/

 
Magento Community Magento Community
Magento Community
Magento Community
 
mooshi
Sr. Member
 
Avatar
Total Posts:  88
Joined:  2009-07-25
Australia
 

Thanks very much! Sonassi

In the full download package, running a comparison....I can’t see that the files are changed?
Can anyone confirm that the package is correct please?

EDIT

confirmed it is updated & patched :)

 
Magento Community Magento Community
Magento Community
Magento Community
 
NuBlue
Sr. Member
 
Avatar
Total Posts:  94
Joined:  2008-03-31
Lancaster, United Kingdom
 

We have investigated the vulnerability ourselves and can report that the vulnerability only affects the the xmlrpc API NOT the SOAP API. Whilst we recommend the Variens directions, which includes upgrading Magento or the manual patching of the affected files, we have created two mod_rewrite rules that can be inserted into your .htaccess file for your Magento store that will also close this vulnerability (handy if you want some time to consider your options before patching/upgrading).

This temporary fix has been outlined in the following post, as well as more details on more permanent resolutions:

http://www.nublue.co.uk/blog/serious-zend-framework-vulnerability-affecting-magento-users/

 
Magento Community Magento Community
Magento Community
Magento Community
 
MageAction
Sr. Member
 
Avatar
Total Posts:  89
Joined:  2008-05-28
France
 

I run Magento 1.4.1.1

And maybe this is why last year my Magento website has been hacked, and many new files has been added in every folder containing that:
11546.php
error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);......and many base 64 encode decode inside the code.

The file XmlrpcController.php has now been changed

class Mage_Api_XmlrpcController extends Mage_Api_Controller_Action
{
public function indexAction()
{
//$this->_getServer()->init($this, ‘xmlrpc’)
//->run();
}
} // Class Mage_Api_XmlrpcController End

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

I don’t see this issue as the reason for your hacked store.
The Zend_Xmlrpc issue only allows reading access, not writing (here you can see how: https://gist.github.com/5062dc17bfca1eb5ec3c ).

You should maybe check if you are infected by some kind of malware like an trojan which stole FTP credentials and modified the shop files.

Best, thebod

 
Magento Community Magento Community
Magento Community
Magento Community
 
11hundred
Jr. Member
 
Total Posts:  2
Joined:  2009-12-06
 

Our store is running a much older version of Magento, 1.3.2.4. Aside from the need to upgrade, is there anything we can do now to patch this without disabling the RPC functionality?

 
Magento Community Magento Community
Magento Community
Magento Community
 
tpmurtagh
Jr. Member
 
Total Posts:  1
Joined:  2011-08-17
 

I am unable to login to my Magento site all together. I modified the code as stated in earlier messages and nothing happened. I am still unable to login. Is this a product of the Zend Vulnerability? Do I have another issue on my hands? Can someone help me here and steer me in the right direction to get this fixed?

Thanks in advance for any knowledge you can share here.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 2 of 3