Magento Zend Framework security issue

Published On - 14 August 2012

The Team Magento Security
Blog-Banner-Background-Image

Recently a serious vulnerability in the Zend Framework on which Magento is built was spotted. This note provides information on how you can access and install a patch that solves this issue.

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

Solution

We recommend that all Magento implementations install the latest patch appropriate for your platform:

  • Magento Enterprise Edition and Professional Edition merchants:
  • You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
  • Download

Workaround

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Additional Notes

Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.

The latest releases of Magento (Community Edition 1.7.0.2 and Enterprise Edition 1.12.0.2) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2

If you want to quickly fix the problem while you decide what the bast thing to do is provided you can access your .htaccess file in the root directory..

The fix should be inserted into the .htaccess file in the root of your Magento installation imediately after “ReWriteEngine On” :

The code to insert is as follows:

If you don’t use the xmlrpc API :

RewriteCond %{REQUEST_URI} .*api/xmlrpc.* [NC]
RewriteRule (.*) - [F]

If you use the xmlrpc API you will need to replace “YOUR_API_IP_ADDRESS” with the ip address of your remote api connection:

RewriteCond %{REMOTE_ADDR} !YOUR_API_IP_ADDRESS
RewriteCond %{REQUEST_URI} .*api/xmlrpc.* [NC]
RewriteRule (.*) - [F]