On 5 July 2012, Magento announced that a serious security vulnerability had been found in Zend Framework upon which Magento is built. Therefore, this has / will effect the vast majority of Magento stores. The flaw was in the XML RPC part of Zend Framework, and basically allows an attacker to access files on the server which they shouldn't be able to (this could include password files, configuration files and so on).
If you are using Magento (or the XMLRPC parts of the Zend Framework for that matter) then you will need to apply the Magento patch. If you are running your own store this could be a little daunting, but fear not, here are some simple instructions on how to patch Magento so your site is no longer a security risk. You will need some very basic command line skills, but the instructions are meant to be as simple as possible.
These instructions apply to Linux, Unix and Mac OSX - you will need to Google for Windows solutions (you shouldn't really be running Magento on Windows as it isn't fully supported).
Before starting we recommend you backup your Magento store and database so you can roll back if required. Although the patch doesn't change much, it's better to be safe than sorry.
First of all open up the command prompt (or SSH into your server if your applying the patch remotely). Change the current directory to your Magento store root folder (this is one of ours, you will need to change to suit):
Just to be safe, run:
To list the current directory structure, it should list files such as index.php, cron.php and get.php as well as directories such as app, skin, var etc. If these are not shown then you are probably in the wrong directory.
Next we need to download the correct patch:
# Community Edition 184.108.40.206 through 220.127.116.11 wget http://www.magentocommerce.com/downloads/assets/18.104.22.168/CE_22.214.171.124-126.96.36.199.patch # Community Edition 188.8.131.52 wget http://www.magentocommerce.com/downloads/assets/184.108.40.206/CE_220.127.116.11.patch # Community Edition 18.104.22.168 through 22.214.171.124 wget http://www.magentocommerce.com/downloads/assets/126.96.36.199/CE_188.8.131.52-184.108.40.206.patch
If your system doesn't have wget on there (i.e. Mac OSX) replace wget with curl -O, so your commands become:
# Community Edition 220.127.116.11 through 18.104.22.168 curl -O http://www.magentocommerce.com/downloads/assets/22.214.171.124/CE_126.96.36.199-188.8.131.52.patch # Community Edition 184.108.40.206 curl -O http://www.magentocommerce.com/downloads/assets/220.127.116.11/CE_18.104.22.168.patch # Community Edition 22.214.171.124 through 126.96.36.199 curl -O http://www.magentocommerce.com/downloads/assets/188.8.131.52/CE_184.108.40.206-220.127.116.11.patch
The above commands download the correct patch file from www.magentocommerce.com and store them in the current directory with the name CE_xxx.patch where xxx is the version it applies to.
It's now time to patch Magento, run the following command (replacing xxx with the version number in your patch):
patch -p0 < CE_xxx.patch
This runs through the patch and applies the security updates to the affected files (lib/Zend/XmlRpc/Response.php and lib/Zend/XmlRpc/Request.php). You can then test the Magento store to ensure everything still works, if you need to you can reverse the patch using the following command:
patch -R -p0 < CE_xxx.patch
Once you are finished you can remove the patch file using the following command:
where xxx is the version it applies to.
If you're not on the live server then you will need to upload the changes once you are done; you can either FTP the two files that have changed or if your code is in version control you can commit the changes and push / pull them down on the live server.
Applying a .sh Patch
Magento has been releasing an alternate patch version, .sh. These are shell script files and will automate some of the patching process. However, they require you to use the command line. This quick guide assumes you are on a Mac or a Linux machine, Windows users might need to look at alternate solutions. As mentioned above, we don't recommend you run this on a live server - you should be running and testing this on development machines first.
First of all download the patch(es) that you need (we'll call ours patch-1.sh)
Next you want to transfer this to your Magento root directory (i.e. ours is /home/www/arrowdesign.co.uk)
Time to open the command line and then change to the Magneto root directory:
As a sanity check, run
We should see folders such as app, downloader, skin etc. Our patch should also be in there.
You can apply the patch by running:
You should get back a "Patch was applied/reverted successfully".
You will then need to correct the ownership on the files, you'll need to know which user your web server is running as - assuming you run apache you can find this out by running:
ps aux | grep httpd
Ignore the first row, and your web server user should be the value in the first row. I'll use httpd as the web server user, but make sure you use the correct one! To correct the file ownership run:
chown -R httpd .
That should be the patch applied and file ownerships corrected - so you can test your store and then push your changes live if everything is ok.
P.S. To revert the patch, just follow the steps through but run this command instead of the command to apply the patch:
sh patch-1.sh -R
If you would rather let someone else manage the hassle of patching then get in touch. Any questions or queries let us know in the comments below.