Serious Zend Framework vulnerability affecting Magento users
Yesterday evening Varien released a public statement regarding a serious vulnerabilty in the Zend Platform which the Magento E-Commerce solution is built on.
The statement states that “the vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.”
Varien have offered 3 solutions:
a) Upgrade to Magento 1.7.0.2 (obviously not immediately practical for a lot of users)
b) Patch vulnerable files: Different patch files depending on your version of Magento (right click save as)
Community Edition 1.4.0.0 through 1.4.1.1
Community Edition 1.5.0.0 through 1.7.0.1
c) Make the following edit (which disables the RPC functionality)
The below steps temporarily disable the RPC functionality that contains the vulnerability. Varien advise that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented. The steps are as follows:
- On the Magento web server, navigate to the www-root where Magento app files are stored.
- In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
- Open XmlrpcController.php for editing.
- Comment out or delete the body of the method: public indexAction()
- Save the changes.
NuBlue Patch Files
We have created the following drop in file replacements to patch the affected files. They are free to download in exchange for a tweet to help spread the patching of this vulnerability.
As with any change to Magento we recommend backing up your site before replacing these files, if you do find you have problems we are happy to build patched files against a requested version.
How to Patch
In order to patch, the 2 files in the zip should be copied over the files with the same name in lib/Zend/XmlRpc/
Magento 1.5 – 1.7.0.1 Patch Files
Magento 1.4.2 Patch Files
Magento 1.4.0 – 1.4.1.1 Patch Files
NuBlue’s Alternative Workaround
We have investigated the vulnerability ourselves and can report that the vulnerability only affects the the xmlrpc API NOT the SOAP API. Whilst we recommend Variens directions as listed above, either of the following two mod_rewrite rules inserted into your .htaccess file will also close this vulnerability (handy if you want some time to consider your options before patching/upgrading).
The fix should be inserted into the .htaccess file in the root of your Magento installation imediately after “ReWriteEngine On” :
The code to insert is as follows:
If you don’t use the xmlrpc API :
RewriteCond %{REQUEST_URI} .*api/xmlrpc.* [NC]
RewriteRule (.*) - [F]
If you use the xmlrpc API you will need to replace “YOUR_API_IP_ADDRESS” with the ip address of your remote api connection:
RewriteCond %{REMOTE_ADDR} !YOUR_API_IP_ADDRESS
RewriteCond %{REQUEST_URI} .*api/xmlrpc.* [NC]
RewriteRule (.*) - [F]
If you are a NuBlue hosting customer and would like us to put the fix in place for you please email a list of your Magento stores and if relevant any ips you use to access the xmlrpc API. Please note we require these in an email, unfortunately we will not be able to action these requests by phone. If you have any experiences with regard to this vulnerability please comment so we can develop this article further.
Follow Us on Twitter
