October 31, 2015
We recently released SUPEE-6788, a bundle of patches that resolve several security-related issues, including a vulnerability in the Zend Framework where specially crafted requests can allow the attacker to access system files in some server configurations.
Dawid Golunski notified us that this bug existed and provided proof of concept code through our Bug Bounty program under responsible disclosure guidelines, and we fixed the issue, along with several other issues, with SUPEE-6788. Since the issue was made public by the researcher yesterday, it is possible we will soon see automated attacks on Magento installations using this or similar code and it is critical that this patch is implemented as soon as possible. The patch is already included in Magento Enterprise Edition 184.108.40.206 and Community Edition 220.127.116.11, so, instead of patching, you can also upgrade.
This issue applies to the Zend Framework, a third-party code library included in the Magento distribution. You can find more information about the original issue here: http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
Magento merchants are advised to follow best practices to ensure the security of their sites, keep their systems up to date and implement patches. Please refer to SECURITY BEST PRACTICES FOR Community Edition or SECURITY BEST PRACTICES FOR Entereprise Edition for additional information on how to secure your site.
To download the patch, choose from the following options:
Partners: Go to the PARTNER PORTAL, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – October 2015."
Enterprise Edition Merchants: Go to MY ACCOUNT, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – October 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.
Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition DOWNLOAD PAGE (look for SUPEE-6788). Merchants can also upgrade to the latest version of Magento Community Edition and receive the security fixes as part of the core code.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Please refer to information about installing patches for MAGENTO ENTERPRISE EDITION and MAGENTO COMMUNITY EDITION available online.