A-A+

Fatal error: Call to undefined function libxml_disable_entity_loader() in \app\code\core\Zend\XmlRpc\Response.php on line 179

2012年09月22日 灵犀一指 Fatal error: Call to undefined function libxml_disable_entity_loader() in \app\code\core\Zend\XmlRpc\Response.php on line 179已关闭评论 阅读 4,990 人 次

升级1.70,出现这个错误:

[php]Fatal error: Call to undefined function libxml_disable_entity_loader() in /app/code/core/Zend/XmlRpc/Response.php on line 179
[/php]

解决办法是:

The Issue

The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

Solution

We recommend that all Magento implementations install the latest patch appropriate for your platform:

Magento Enterprise Edition and Professional Edition merchants:
You may access the Zend Security Upgrade patch from Patches & Support for your product in the Downloads section of your Magento account. Account log-in is required.
Download

Magento Community Edition merchants:
Community Edition 1.4.0.0 through 1.4.1.1
Community Edition 1.4.2.0
Community Edition 1.5.0.0 through 1.7.0.1

Applying the patch via SSH

Here is an example as to how to apply the patch file via SSH for a 1.4 store

cd /home/mystore/public_html
wget -qO - http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch | patch -p0

Applying the patch by replacing the file

If you are unsure as to how to patch the files using the command line, we have pre-patched the files for the relevant version for your convenience, so you can download the file and replace as effected. We cannot upload the Enterprise patch – but if you get in touch, we would be glad to help.

Community Edition 1.4.0.0 through 1.4.1.1
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Community Edition 1.4.2.0
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Community Edition 1.5.0.0 through 1.7.0.1
./lib/Zend/XmlRpc/Request.php
./lib/Zend/XmlRpc/Response.php

Please note. This is only suitable if you haven’t made any modifications to this file.

Workaround

If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

1. On the Magento web server, navigate to the www-root where Magento app files are stored.
2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
3. Open XmlrpcController.php for editing.
4. Comment out or delete the body of the method: public indexAction()
5. Save the changes.

Additional Notes

Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.

The latest releases of Magento (Community Edition 1.7.02 and Enterprise Edition 1.12.02) incorporate the appropriate patches. please use correct versions of releases 1.7.0.2 and 1.12.0.2 .

标签:

评论已关闭!