Magento recently posted an important security update that affects all versions prior to CE 1.7.0.2 and EE 1.12.0.2. The vulnerability is specifically in the Zend Framework’s Zend_XmlRpc module, which means that any application built on the Zend Framework is potentially vulnerable. See: ZF2012-01
Nexcess implements a Web Application Firewall that should offer protection from this vulnerability, however, it is imperative that you patch your Magento software immediately to be completely safe. Here is what you need to do to patch your Magento application:
1. Download the appropriate patch from Magento’s website for your version:
- Magento Enterprise Edition and Professional Edition: Download the patch from your Magento Account
- Magento Community Edition:
2. Upload the patch to your Magento root directory via FTP or Siteworx File Manager.
3. Log in to your SSH account, change to your Magento root directory, and run the patch command:
[bash]$ patch -b -p0 < CE_1.5.0.0-1.7.0.1.patch
patching file lib/Zend/XmlRpc/Response.php
patching file lib/Zend/XmlRpc/Request.php[/bash]
4. You may need to clear the Magento cache or re-compile if you are using the Mage_Compiler.
Note: The latest versions of Magento CE (1.7.0.2) and EE (1.12.0.2) have already been patched for this vulnerability.
If you have any questions or would like any assistance with this, please do not hesitate to contact us at support@nexcess.net.
