ECommerce Insights Blog

Stay on top of it all and get ahead with useful articles, how-tos, tips and tricks on e-commerce.

How To Protect Your Store From Zend Framework Vulnerability

Questions and Answers List of product

There has been a serious vulnerability in the Zend Framework which is the core of Magento. This vulnerability allows an attacker to read any file from your Magento powered server especially if Zend XMLRPC is enabled. These can cause severe security risks considering you might have configurations, password files or your entire database (if deployed on same server).

Now, that you know about this security threat, following is a tutorial on how to tackle this vulnerability by applying patches released by MagentoCommerce.

Magento Community Edition

If you are already using latest Magento version (v1.7.0.2) you don’t have to worry much but if you not try updating the store immediately. But, for some reasons if you can’t simply update your Magento version you should apply the following patches based on your current Magento version.

Magento Go

Magento Go is updated automatically, so you don’t have to worry about this vulnerability.

Magento Professional Edition

All Magento Professional editions should apply Zend Security Upgrade path by going to Downloads > Magento Professional Edition > Patches & Support (account login is required).

Magento Enterprise Edition

Running the latest version (v1.12.0.2) you shouldn’t worry about this vulnerability. But is aren’t on the latest version you should upgrade as soon as possible. But for some reasons if you can’t upgrade, you can simply apply security path listed below.

  • EE 1.12.0.0+ Upgrade to the latest release Navigate to Downloads > Magento Enterprise Edition > Release (account login is required)
  • EE 1.8.0.0 – 1.11.X.X Apply the Zend Security Upgrades patch Navigate to Downloads > Magento Enterprise Edition > Patches & Support (account login is required)
  • Versions prior to EE 1.8.0.0 Implement the workaround (instructions below)

How to apply the Patch


To apply the patch follow these steps:

  1. Go to the root of your Magento root directory: cd /home/mystore/public_html
  2. wget –O patch_name.patch
  3. Download the patch from the provided link as per your current Magento version
  4. Apply the patch: patch -p0 < patch_name.patch

It is important to run these patch on all servers especially if you have more than one servers running Magento.

Workaround

If for some reasons the patch can not the applied or performed you should temporarily disable the RPC functionalty. To disable RPC (valid for CE 1.4 and below, EE1.8 and below) you can follow the steps given below:

  1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers
  3. Open XmlrpcController.php for editing
  4. Comment out or delete the body of the method: public indexAction()
  5. Save the changes

I hope by applying these patches you can secure your server from an attacker. We would love to hear your thoughts and experiences of applying these security vulnerability patches. Please leave us a comment and let us know.