Magento Forum

   
Zend Vulnerability: Patched - Change Passwords Now? 
 
ckburnett
Jr. Member
 
Total Posts:  3
Joined:  2009-07-11
 

Greetings,

Have performed the recommended work-around, and will add the patch going forward, although nothing currently using RPC, so no hurry on that.

Haven’t yet found any information on the following:

1. Are there any known in-the-wild exploits of this?

2. Official recommendation on password changes? If yes, just Magento administrative passwords, or customer account passwords too?

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

1.: yes, there are: https://gist.github.com/5062dc17bfca1eb5ec3c

2.: no, it doesn’t affect Magento’s internal password, it might affect Database and system passwords. If you are unsure about an attack then change your system-, mysql- and Magento administration passwords.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ckburnett
Jr. Member
 
Total Posts:  3
Joined:  2009-07-11
 

Thank you for your input

As a follow-up; you’d said that it didn’t impact Magento “internal” passwords. Do I take it that you mean by that customer account passwords that are stored in the Magento database?

If yes, I think I’m missing something. The Magento admin. passwords are stored in the same database, but you did recommend changing them.

Sorry if I misunderstood. Could you clarify for me?

Thank you very much.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

you are right in both parts wink
“Internal passwords” might be not that clear, I ment customer passwords as well as admin passwords, because both are stored at the same place (database, as a salted md5 hash).

But I can’t imagine an attacker who would try to crack customer passwords, because only one admin password is all he needs to gain access to the customers.
Therefore I am sure if something is stolen, then only database credentials (and, by using these creds, admin passwords).

I hope it’s a bit more clear now wink

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top