In association with heise online

14 August 2012, 12:45

Magento shops attacked through Zend vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Magento logo A critical vulnerability in the Zend Framework can be exploited by remote attackers to access arbitrary files from online shops using the eBay-owned Magento eCommerce platform. This is because the Zend XML-RPC component used by Magento is vulnerable to XML eXternal Entity (XXE) injection attacks; successfully exploiting the hole can allow an attacker to read private information such as database configuration and customer data including complete order histories.

While the problem has already been publicly known for nearly two months, a number of shop owners have yet to update or patch their software: The H's associates at heise Security were provided with a list of more than 24 shops that were vulnerable until recently – or still are. In many cases, heise Security was still able to reproduce the problem on Tuesday 14 August. In a blog postGerman language link about the hole, the creator of the list provided to heise says that 50 online shops were randomly selected and tested late last week; of these nearly half were still vulnerable. Considering that the issue has been known since the end of June and that an exploit is publicly available, this rate is quite worrisome.

The Magento developers have fixed the problem with in version of the open source Community Edition and in version of the Enterprise Edition of their software. Patches are provided for older versions of the Community Edition, while workarounds are offered for Enterprise Edition versions prior to Zend has closed the hole in versions 1.11.12 and 1.12.0 of the Framework; the fifth beta for 2.0.0 also fixes the problem.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit