Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Zend Platform Vulnerability – Important Security Update for early versions 1.3.2.4
 
11hundred
Jr. Member
 
Total Posts:  2
Joined:  2009-12-06
 

In reference to the security update posted two days ago Important Security Update – Zend Platform Vulnerability there are no patches available for earlier versions of Magento, specifically 1.3.2.4. I would assume this version is affected, would anyone know of a way to patch this?

Thank you in advance,
David

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Yes, I know one: Update!

You must not use such an old Magento version, the Zend_Xmlrpc issue is not the only issue in these early versions, there are a couple of other issues too.

 
Magento Community Magento Community
Magento Community
Magento Community
 
elfling
Enthusiast
 
Avatar
Total Posts:  901
Joined:  2008-10-21
 

Well, considering bod is supposed to be an MVP, I would have thought his thoughts would have been a bit more constructive than the dribble that was spouted.

Yes, this affects 1.3.2.4 version of Magento as well.

The mark up is identical to 1.4.0.0 fix, because the file hadn’t changed still.

Most vulnerabilities are actually caused by a poor setup, incorrect permissions, removing .htaccess files giving direct access to local.xml, leaving backups on the server in directories named backup. In fact, its often the dev servers and lack luster setups and their developers that open a store to being vulnerable. A simple google search can often prove this smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

I\’m sorry, haven\’t expected you want more…

Some security fixes you might want to install:
- Mage_Paypal < 1.4: https://gist.github.com/662396
- http://blog.academy-ecommerce.com/security-advisory-vulnerability-on-customer-data-in-magento
- Maybe this affects you too: http://www.nbs-system.co.uk/blog-2/security/magento-paypal-vulnerability.html
...these are some of the issues which were disclosed yet…

The Zend_Xmlrpc fix provided by Magento should work on Magento 1.3 too, because disabling the libxml entity loader takes everywhere the same arguments - anyway you should have installed at least PHP 5.2.11, earlier versions don\’t provide the libxml_disable_entity_loader() function needed to close this issue.

Easy fix, if you don\’t use the XMLRPC-API: Remove the code from your XMLRPC-controller wink

 
Magento Community Magento Community
Magento Community
Magento Community
 
rohit47
Member
 
Total Posts:  35
Joined:  2011-12-29
 

Hai,
When i applied the patch fix XmlRpc functionality no longer works.It throws a weird error “Uncaught exception ‘Zend_XmlRpc_Client_HttpException’ with message ‘Internal Server Error’ .However if i remove the patch it works,Does anybody has the same issue?

UPDATE:
Never mind i figured it out!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
elfling
Enthusiast
 
Avatar
Total Posts:  901
Joined:  2008-10-21
 

what version of php?

bod explains above that only 5.11 + the patch will work

 
Magento Community Magento Community
Magento Community
Magento Community
 
rohit47
Member
 
Total Posts:  35
Joined:  2011-12-29
 

I was using php 5.2.6 .I think thats why it throwed the exception.Is there any way to apply patch without upgrading php ?

 
Magento Community Magento Community
Magento Community
Magento Community
 
switchjohnny
Member
 
Total Posts:  41
Joined:  2009-07-02
 

I have 1.7.0.2 and this just happened to me yesterday, so I don’t think the patch works 100%

This was a clean install of 1.7.0.2 as well.

Any suggestions?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top