Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Magento/Zend XMLRPC Security Bug? [closed]

I've got two Magento stores and read that there is an important security problem that has been revealed.

I have downloaded the patch files, but cannot seem to understand how to patch the files properly, one store has hosting with SSH access - but the other doesn't.

How can I patch the files properly on each machine?

Source. http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/

like image 984
Fran Avatar asked Jul 06 '12 10:07

Fran


2 Answers

There are a couple of ways you can go about fixing your issue,

For your server with SSH

Here is an example as to how to apply the patch file via SSH for a 1.4 store

cd /home/mystore/public_html
wget -O zendxml_fix.patch  http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch
patch -p0 < zendxml_fix.patch

Here are the URLs for each patch,

  1. Community Edition 1.4.0.0 through 1.4.1.1
  2. Community Edition 1.4.2.0
  3. Community Edition 1.5.0.0 through 1.7.0.1

For your server WITHOUT SSH

We have downloaded all the installations and pre-patched the files for people that don't have access to command line or the patch application. The contents of the files are far too big to post on here, but you can download them direct from our site

Community Edition 1.4.0.0 through 1.4.1.1

  1. ./lib/Zend/XmlRpc/Request.php
  2. ./lib/Zend/XmlRpc/Response.php

Community Edition 1.4.2.0

  1. ./lib/Zend/XmlRpc/Request.php
  2. ./lib/Zend/XmlRpc/Response.php

Community Edition 1.5.0.0 through 1.7.0.1

  1. ./lib/Zend/XmlRpc/Request.php
  2. ./lib/Zend/XmlRpc/Response.php

For more information

We've posted an explanation about the issue and a solution on our own website, http://www.sonassi.com/knowledge-base/magento-kb/important-magento-security-update-zend-platform-vulnerability/

like image 86
Ben Lessani Avatar answered Nov 12 '22 14:11

Ben Lessani


FYI, WebGuys has provided an interface for checking if your magento store is vulnerable or not:
http://webguys.de/magento-exploit-test/

In order to apply patch file you can use either of two approaches:
1> Using SSH with following command:

patch -p0 < CE_1.5.0.0-1.7.0.1.patch

(Make sure you uploaded the patch file to the www-root of Magento installation and run the ssh command from there)

2> Manually going through the files: lib/Zend/XmlRpc/Response.php & lib/Zend/XmlRpc/Request.php and adding/removing lines as mentioned in the .patch file.

Hope this helps.

like image 28
MagePsycho Avatar answered Nov 12 '22 14:11

MagePsycho