We have recently learned of a serious vulnerability in the Zend Framework on which Magento is built. This note provides information on how customers can access and install a patch that addresses this issue.
The Issue
The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.
Solution
We recommend that all Magento implementations install the latest patch appropriate for your platform:
- Magento Enterprise Edition and Professional Edition merchants:
- You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
- Download
- Magento Community Edition merchants:
- Community Edition 1.4.0.0 through 1.4.1.1
- Community Edition 1.4.2.0
- Community Edition 1.5.0.0 through 1.7.0.1
Workaround
If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
- 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
- 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
- 3. Open XmlrpcController.php for editing.
- 4. Comment out or delete the body of the method: public indexAction()
- 5. Save the changes.
Additional Notes
Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.
The latest releases of Magento (Community Edition 1.7.0.2 and Enterprise Edition 1.12.0.2) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2 .
 |  |
New theme released
Responsive Magento Theme - Gala BabyStyle
Galathemes Baby Style is able to impress every Magento user, right at the first time experience, both in its design and features.
Our services
Magento Custom Development
Magento is the most powerful eCommerce system offering rich customization possibilities by extensions and modules.
We offer custom extension development performed by our full-time Magento experts to ensure the custom extension developed follow Magento code standard, optimized and pass our quality tests.
Magento Custom Design
Design and development a custom Magento template for your Magento store. Our designers and developers are specialists in Magento Commerce and have strong experience in Magento projects.
We provide all design in PSD files, template package and sample data. We also help you install the theme on your store if required. We start your project instantly and with highest priority.
PSD to Magento Theme Conversion
PSD to Magento Theme Conversion is a leading strength of us. We have an intelligent process and experienced staff, so you will save much time.
We easily convert a store designs in PSD format into a fully functional Magento commerce template. Quick and convenient for you to create an online store based on Magento is through "PSD to Magento Theme Conversion" service. We bring the flexibility, user friendly modules, and the extensions to improve the functionality of Magento.
Magento Site Development
We update our Magento knowledge everyday. Having an excellent knowledge on Magento design, Magento programming and server optimization, we guarantee your project get done perfectly.
We apply the philosophy of agile project management to ensure your project always performs on the right way, you'll get updates frequently, any changes of scope of project can be informed early to minimize risks, time and cost.
Magento Server Optimization
We realy provide the best service for you. Among them are optimized for Magento server is very important. Your ecommerce shop will flexibility and agility absolute. Connecting with customers, processing speed, the gentle query and sensitive to the search engine is very easy