Magento New Zend Framework 1 Security Vulnerability Update
Recently, a serious vulnerability has become apparent in Magento’s new Zend framework 1 and email component. Each Magento 1 and Magento 2 based software and other PHP solutions make use of this component. This serious vulnerability can grant attackers the opportunity to attack remote code execution if your server is using Sendmail as your mail transport agent.
So don’t be a victim! To counteract your Magento store against this security breach, we strongly recommend you to immediately examine your mail sending settings. Be there with your system settings which are used to empower the “Reply to” address for emails directed from your Magento store:
Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
First off, you need to examine the value set for “Set Return-Path”. If this value is set to “Yes”, and your server makes use of Sendmail, your Magento store is vulnerable to this security breach. There is no need for any worry for Enterprise Cloud Edition customers as they’re not at any major risk for their existing configurations.
We at Envision Ecommerce recommend you to switch the value of your “Set Return-Path” to “No” until any security patch comes into existence against this vulnerability from Magento’s side, irrespective of whatever transport agent used. We hope that Magento will provide security patches against this vulnerability over the subsequent several weeks.
In case if you need help, you can contact us for a security analysis. We’d be glad to help you through the analysis process to let you know about your Magento store’s vulnerability against this security breach.