There is an important security update for any company using Magento; this was posted yesterday (July 5, 2012) to Magento`s blog.
Magento uses the Zend Platform; the vulnerability is in the Zend software.
The Issue: The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.
Summary: We`re not trying to scare you, but it`s really not very good if you don`t apply this patch. An atacker could access all of your customer`s information, your admin functionality, and gain complete access to your site. They could delete all of your products, customers, change pricing. It wouldn`t be pretty.
What Should You Do:
a. Patch it
b. Put in a workaround until it`s patched.
If you`d like us to take care of this for you, we can fix this for you in one hour of billable time (we just need FTP access). Call 303.473.4400 or visit here to have someone contact you now >>
Technical Details About the Magento Local File Inclusion (LFI) security vulnerability:
The attack is called local file inclusion (LFI) and essentially it allows a hacker to read any file on the server. At a high level, here’s what happens:
- Someone connects to your Magento installation’s Web API. Great, you think to yourself “I’m checking login/passwords, so I won’t give them anything they don’t have access to. And even if they do have access, I’ll only allow them certain actions (getting orders, creating products, etc)
- Your api reads the request using zend framework
- Zend framework uses a PHP xml library
- You send a response back saying “Sorry, you don’t have access to my api” or “Ok, you just updated your product description”
- But little do you know, you also sent back the entire password file! Now your hacker owns the server!!
Here’s an example XML request the hacker might send:
<?xml version=”1.0″?>
<!DOCTYPE api_username [<!ENTITY my_api_username SYSTEM “php://filter/read=convert.base64-encode/resource=/etc/passwd”>]>
… XML REQUEST …
<api_username>&my_api_username</api_username>
….The rest of the request
So, assuming they don’t have access (or they do, this really is just an example) your application might send something back like:
<?xml version=”1.0″?>
<message>Sorry, {insert_api_username_here} you don’t have access</message>
But where you just inserted the api username, you actually inserted the contents of the entire password file!
Luckily PHP provides us with an easy function to prevent this: http://php.net/manual/en/function.libxml-disable-entity-loader.php
The magento patch works by using this function in the appropriate places.
Need help applying this Magento Security Fix? Call 303.473.4400 or visit here to have someone contact you now >>