Magento RPC漏洞解决方案:

基于 Zend 的安全漏洞,可直接读取服务器任何信息。各位客户可根据自己的Magento版本,SVN相应补丁,或注释掉以下文件的代码即可。(本司客户,请发站内支援请求,并提供FTP,会有程序员帮您打上补丁的。)

解决方案 / Solution

Magento企业版


  • 根据我们实践总结,我们建议,所有的企业版的客户,尽可能请升级到最新版本(v1.12.0.2)采取最新补丁和功能。
  • 或者根据您的平台版本,请选择相应的解决方案:
您的当前版本 推荐的解决方案
Magento 企业版 1.12.0.0 + 升级到最新版本(浏览下载Magento企业版>发布-登录帐户的要求)
Magento 企业版 1.8.0.0 - 1.11.XX 应用在Zend的安全升级补丁(浏览下载Magento企业版>补丁与支持-登录帐户是必需)
Magento 企业版本1.8.0.0之前的版本 可使用变通办法(以下说明)


Magento的专业版



Magento的社区版


  • 如果可以,我们建议,所有社区版客户尽量升级到最新版本(v1.7.0.2),使用最新的补丁和功能优势。
  • 若不方便升级,可根据您的平台版本,请找到相应的解决方案:
您的当前版本 推荐的解决方案
Magento1.7.0.0 + 升级到最新版本
Magento1.5.0.0 至 1.6.XX 应用此修补程序
Magento1.4.2.0 应用此修补程序
Magento1.4.0.0 至1.4.1.1 应用此修补程序
Magento1.4.0.0以前的版本 可使用变通办法(以下说明)


Magento GO


Magento GO的客户将不需要做任何更新。所有修补程序将在后台自动应用。

Instructions on Applying the Patch

  • 1. Go to the root of your Magento root directory: cd /home/mystore/public_html
  • 2. wget –O patch_name.patch
  • 3. Download the patch from the provided link appropriate for your version (this line allows you to do it from the Unix command prompt)
  • 4. Apply the patch: patch -p0 < patch_name.patch

*Note that if you are running more than one web server, the patch will need to be applied to all the servers.

Workaround

If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.

Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.

Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Technical Clarification

As some of our experienced community members have discovered, the development fix in CE 1.7.0.2 and EE 1.12.0.2 differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:

  • app/code/core/Zend/XmlRpc/Response.php
  • app/code/core/Zend/XmlRpc/Request.php

We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.