Marcel Hauri, Magento Certified Developer

Magento - Zend Framework 1 Security Vulnerability

Magento - Zend Framework 1 Security Vulnerability

On Friday the 13th, Magento announced a new vulnerability in the Email Component of Zend Framework 1 and 2, a component which is used by all Magento 1 and Magento 2 versions.

This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent. The attack is performed by providing additional quote characters within an address. When unsanitized, they can be interpreted as additional command line arguments to the system sendmail program, leading to the vulnerability.

Magento is currently working to provide patches to close this vulnerability. They also provide a quick solution to prevent your Shop from a possible attack, by checking your mail sending settings and disabling the "Set Return-Path".

Magento 1:

System-> Configuration-> System-> Mail Sending Settings-> Set Return-Path

Magento 2:

Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. As the risk is very high it's strongly recommended to turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used.

Update

Ian Cassidy demonstrates an easy way to check and set the Magento mail settings with n98-magerun which is great if you have multiple clients.

Get mail return path settings for Magento 1 & Magento 2

n98-magerun.phar config:get --scope="default" --scope-id="0" system/smtp/set_return_path

Set mail return path settings for Magento 1 & Magento 2

n98-magerun.phar config:set --scope="default" --scope-id="0" system/smtp/set_return_path 0
Article: OroCommerce 1.0 Release Is Now Available

The first release of Orocommerce, the long-announced B2B e-commerce solution, is now available. The…

MageStackDay on February 3rd & 4th 2017
Article: MageStackDay on February 3rd & 4th 2017

MageStackDay is an online hackathon dedicated to answering, closing and cleaning up questions on mag…