Sorry, nothing in cart.
There has been a serious vulnerability in the Zend Framework which is the core of Magento. This vulnerability allows an attacker to read any file from your Magento powered server especially if Zend XMLRPC is enabled. These can cause severe security risks considering you might have configurations, password files or your entire database (if deployed on same server).
Now, that you know about this security threat, following is a tutorial on how to tackle this vulnerability by applying patches released by MagentoCommerce.
Magento Community Edition
If you are already using latest Magento version (v126.96.36.199) you don’t have to worry much but if you not try updating the store immediately. But, for some reasons if you can’t simply update your Magento version you should apply the following patches based on your current Magento version.
- CE 188.8.131.52+ Upgrade to the latest release
- CE 184.108.40.206 – 1.6.X.X Apply this patch
- CE 220.127.116.11 Apply this patch
- CE 18.104.22.168 – 22.214.171.124 Apply this patch
- Versions prior to CE 126.96.36.199 Implement the workaround (instructions below)
Magento Go is updated automatically, so you don’t have to worry about this vulnerability.
Magento Professional Edition
All Magento Professional editions should apply Zend Security Upgrade path by going to
Downloads > Magento Professional Edition > Patches & Support (account login is required).
Magento Enterprise Edition
Running the latest version (v188.8.131.52) you shouldn’t worry about this vulnerability. But is aren’t on the latest version you should upgrade as soon as possible. But for some reasons if you can’t upgrade, you can simply apply security path listed below.
- EE 184.108.40.206+ Upgrade to the latest release
Navigate to Downloads > Magento Enterprise Edition > Release(account login is required)
- EE 220.127.116.11 – 1.11.X.X Apply the Zend Security Upgrades patch Navigate to
Downloads > Magento Enterprise Edition > Patches & Support(account login is required)
- Versions prior to EE 18.104.22.168 Implement the workaround (instructions below)
How to apply the Patch
To apply the patch follow these steps:
- Go to the root of your Magento root directory:
- wget –O patch_name.patch
- Download the patch from the provided link as per your current Magento version
- Apply the patch:
patch -p0 < patch_name.patch
It is important to run these patch on all servers especially if you have more than one servers running Magento.
If for some reasons the patch can not the applied or performed you should temporarily disable the RPC functionalty. To disable RPC (valid for CE 1.4 and below, EE1.8 and below) you can follow the steps given below:
- On the Magento web server, navigate to the www-root where Magento app files are stored.
- In the wwwroot, navigate to
- Open XmlrpcController.php for editing
- Comment out or delete the body of the method:
- Save the changes
I hope by applying these patches you can secure your server from an attacker. We would love to hear your thoughts and experiences of applying these security vulnerability patches. Please leave us a comment and let us know.