A new vulnerability has been found in a Zend Framework 1 and 2 email component within Magento, the e-commerce software.  Find out how you can protect yourself, for free…

 

What is Zend?

The component is used by all Magento 1 and Magento 2 software and other PHP solutions.  This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.

 

What do I need to do?

To protect your site from this vulnerability, you should immediately check your mail sending settings.  Go to the system settings used to control the “Reply to” address for emails sent from your Magento store.

If you use any version of Magento 1, you need to navigate to the following menu;

System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If you use Magento 2, you need to navigate to the following menu;

Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit.  Enterprise Cloud Edition customers of Magento do not need to worry about this issue as Magento’s hosts themselves have already checked the configuration and you will no longer be at risk.

While we have not yet observed attacks using this vulnerability, the risk is very high.  Until patches are available, we strongly recommend that you turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.

 

Looking for more information?

You can follow us for updates on Facebook and Twitter – as it’s announced, we’ll let you know.  As always, if you need help with your own Magento installation, please contact us for help.