Important Magento Security Update – Zend Framework Vulnerability Patch

We recently learned of a serious vulnerability in the Zend Framework on which Magento is built. If you are running a Magento Community Edition store, this post outlines how the problem can be patched.

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

Solution

As best practice, it is recommended that all Community Edition stores upgrade to the latest release (v1.7.0.2) if possible to take advantage of the latest fixes and features.

Depending on your current Magento version, please find the appropriate solution for you below:

Workaround

If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.

Please note that this workaround can only be applied to versions of CE 1.4 and below.

Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

1. On the Magento web server, navigate to the www-root where Magento app files are stored
2. In the wwwroot, navigate to  /app/code/core/Mage/Api/controllers
3. Open XmlrpcController.php for editing
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes

Need Help?

We recommend maintaining an up-to-date installation of the Magento platform as the best way to stay secure.

If you need help upgrading or applying a patch, get in touch for a quote and swift turnaround.

The post Important Magento Security Update – Zend Framework Vulnerability Patch appeared first on BeSeen.