While doing routine sanity checks, on of our QA Engineers, Sammy Shaar, was
alerted about an important Magento security update. The
vulnerability potentially allows an attacker to read any file on the web
server where the Zend XMLRPC functionality is enabled.
This might include password files, configuration files, and possibly even
databases if they are stored on the same machine as the Magento web server. To
see if you site has been affected, please see this page.
Luckily, Magento has released patches for all supported versions:
- Magento Enterprise Edition and Professional Edition merchants: You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required. Download
- Magento Community Edition merchants: Community Edition 184.108.40.206 through 220.127.116.11 Community Edition 18.104.22.168 Community Edition 22.214.171.124 through 126.96.36.199
To install the patch, place the patch file in the root of your Magento site
and run the following command: patch -p0 < zendxml_fix.patch If you don’t
have ssh access or patch installed on your machine, please see this stack
overflow post for alternative methods.