Yesterday, Magento released an announcement on a serious security vulnerability in previous versions of Magento that “potentially allows an attacker to read any file on the web server” that “might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server”. The vulnerability is due to a vulnerability in the XmlRpc component of the Zend Framework, which was announced last week. The details of the vulnerability can be found in the advisory by SEC Consult.
Magento has provided several solutions for protecting against this vulnerability. There is a workaround, patch files for older version of Magento, and a new release, 220.127.116.11, which is secured against the vulnerability. The workaround and patch files will resolve this issue for Magneto installations still running on outdated versions, but we would recommend, as always, that you upgrade to the latest version of software you run (the previous release, 18.104.22.168, fixed “some potential security vulnerabilities” according to Magento).
If you use any software that has the Zend Framework you should check to for an update or announcement from the developers on the status of the vulnerability in the software. Piwik announced last week that the current version of Piwik is not vulnerable as “Piwik neither uses nor includes the XmlRpc component from Zend Framework”. OpenX does contain the XmlRpc component and uses it, we didn’t check if their use is vulnerable but we did inform them of the vulnerability (we would strongly recommend strongly recommend against using anything from OpenX as they continue to have an atrocious security record). There are several WordPress plugins which contain the vulnerable component and we have informed the WordPress.org Plugin Directory maintainers of the vulnerability so they can take appropriate action.