Hey, All your SimpleXML powered sites belong to us.

The latest update to Zend Framework fixes a major issue with with XML-RPC client and server classes.

http://devzone.zend.com/2397/zend-framework-1-11-12-released/

The problem actually lies in the php class it relies on, SimpleXML, which as the ability to load arbitrary external files (entities).

A new method was added to PHP 5.2.11 to address this issue called “libxml_disable_entity_loader”.

http://us3.php.net/manual/en/function.libxml-disable-entity-loader.php

And the first attacks in the wild are targeting all version of magento.
The magento team has released an emergency patch for this issue for all version of magento from 4.2.0 and up.
http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/

Check your code. If your using SimpleXML to parse XML which comes from external sources, your vulnerable and if your using an out-of-date verson of php, there’s not much you can do about it.

 

derak

 

Leave a Reply

Your email address will not be published. Required fields are marked *