Magento shops attacked through Zend vulnerability
A critical vulnerability in the Zend Framework can be exploited by remote attackers to access arbitrary files from online shops using the eBay-owned Magento eCommerce platform. This is because the Zend XML-RPC component used by Magento is vulnerable to XML eXternal Entity (XXE) injection attacks; successfully exploiting the hole can allow an attacker to read private information such as database configuration and customer data including complete order histories.
While the problem has already been publicly known for nearly two months, a number of shop owners have yet to update or patch their software: The H's associates at heise Security were provided with a list of more than 24 shops that were vulnerable until recently – or still are. In many cases, heise Security was still able to reproduce the problem on Tuesday 14 August. In a blog post about the hole, the creator of the list provided to heise says that 50 online shops were randomly selected and tested late last week; of these nearly half were still vulnerable. Considering that the issue has been known since the end of June and that an exploit is publicly available, this rate is quite worrisome.
The Magento developers have fixed the problem with in version 126.96.36.199 of the open source Community Edition and in version 188.8.131.52 of the Enterprise Edition of their software. Patches are provided for older versions of the Community Edition, while workarounds are offered for Enterprise Edition versions prior to 184.108.40.206. Zend has closed the hole in versions 1.11.12 and 1.12.0 of the Framework; the fifth beta for 2.0.0 also fixes the problem.