Magento Update: Zend Framework Vulnerability Security Update

As some questions have come up, we wanted to provide some clarification to the blog post “Important Security Update – Zend Platform Vulnerability” posted of July, 5, 2012.

As outlined in that post, all Magento merchants on a deployed platform are strongly recommended to protect themselves from the Zend Framework vulnerability.

We have added further instructions on how to protect your business. Please apply the solution below that corresponds to your version of Magento.

Magento Enterprise Edition

  • As best practice, we recommend that all Enterprise Edition merchants upgrade if possible to the latest release (v1.12.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution for you:
EE Upgrade to the latest release (Navigate to Downloads > Magento Enterprise Edition > Release – account log-in is required)
EE – 1.11.X.X Apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Enterprise Edition > Patches & Support – account log-in is required)
Versions prior to EE Implement the workaround (instructions below)

Magento Professional Edition

  • All versions of Professional Edition, please apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Professional Edition > Patches & Support – account log-in is required)

Magento Community Edition

  • As a best practice, we recommend that all Community Edition merchants upgrade if possible to the latest release (v1.7.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution:
CE Upgrade to the latest release
CE – 1.6.X.X Apply this patch
CE Apply this patch
CE – Apply this patch
Versions prior to CE Implement the workaround (instructions below)

Magento Go

Magento Go customers will not need to make any updates. All fixes will be applied automatically on the backend.

Instructions on Applying the Patch

  • 1. Go to the root of your Magento root directory: cd /home/mystore/public_html
  • 2. wget –O patch_name.patch
  • 3. Download the patch from the provided link appropriate for your version (this line allows you to do it from the Unix command prompt)
  • 4. Apply the patch: patch -p0 < patch_name.patch

*Note that if you are running more than one web server, the patch will need to be applied to all the servers.


If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.

Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.

Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Technical Clarification

As some of our experienced community members have discovered, the development fix in CE and EE differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:

  • app/code/core/Zend/XmlRpc/Response.php
  • app/code/core/Zend/XmlRpc/Request.php

We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.

The Magento REST API: A Better Way to Integrate Business Applications

Merchants have been asking for a fast and secure way to integrate more business applications within Magento. We’ve met this request by introducing the Magento REST API as part of the Magento Enterprise 1.12 and Community 1.7 releases.

Noteworthy benefits of the REST API include simplicity, ease of testing and troubleshooting, and better performance. It allows you to manage customers, customer addresses, sales orders, inventories and products using HTTP verbs such as GET, POST, PUT and DELETE. Data requests and responses can be in XML or JSON format.

REST Resources

REST resources are simply the entities or identities that are exposed to the developer. REST defines the identity of the resource via the URI (uniform resource identifier). Each resource has a unique URL address and any interaction with a resource takes place at its URI. The following resources are supported in CE

  • § Products: Allows you to retrieve the list of products, create a simple product, and update or delete a product.
  • § Product Categories: Allows you to retrieve the list of categories assigned to a product and assign or unassign a category to a product.
  • § Product Websites: Allows you to retrieve the list of websites assigned to a product and assign or unassign a website to a product
  • § Customers: Allows you to retrieve the list of customers and create, update, or delete a customer.
  • § Customer Addresses: Allows you to retrieve the list of customer addresses, and create, update, or delete an address.
  • § Inventory: Allows you to retrieve the list of stock items and update a stock item.
  • § Sales Orders: Allows you to retrieve the list of sales orders and specific order information.
  • § Sales Order Items: Allows you to retrieve the items for a specific order.
  • § Sales Order Addresses: Allows you to retrieve billing and shipping addresses for an order.
  • § Sales Order Comments: Allows you to retrieve comments for a specific order.

Preparing to Use REST API with Magento

From the Magento store admin panel:

  • § Set up permissions to operate with resources for the three different user types: admin, customer, and guest. The admin is the backend logged-in user, the customer is the frontend logged-in user, and the guest is a non-logged-in frontend user.
  • § Configure which attributes will be allowed to retrieve or update for the different user types
  • § Register the third-party application (setting up consumer) and provide the information to the third-party application.

For a more detailed explanation with sample data, check out our wiki page. As always, we welcome your feedback and are eager to help with any issues you may encounter. Please use our bug tracker and choose the Webservices API from the Category selection.

Magento Community 1.7 and Enterprise 1.12 Release Features


Magento had announced the latest Magento releases: Magento Enterprise 1.12 and Community 1.7. The recent enhancements to powerful eCommerce offerings help merchants provide a more personalized shopping experience for their customers.

Benefits include easier order placement, mobile optimization and multiple wish lists. These enhancements give merchants greater potential to boost consumer engagement, increase conversions and transaction size, and foster brand loyalty.

All merchants, including those running B2B businesses, can take advantage of improved customer segmentation and ordering capabilities. While those operating in Europe can use our new features to stay compliant with EU regulations.

Of course, latest releases have lots in store for developers too, including a new API, and backup and rollback systems.

Read on to learn about the key features in our new releases and how they can benefit you.


Mobile HTML5

Quickly and easily create a storefront optimized for mobile devices so customers can shop even when they’re on the go. This mobile interface uses HTML5 technology and supports iPhone, Android and Mobile Opera browsers. It includes out-of-the-box features such as:

  • Device-specific media capabilities for audio and video
  • User-friendly search and results display
  • Clean display of product detail pages
  • Pinch, multi-touch and scaling images
  • Easy swipe between product images
  • Zoom capabilities
  • Cross-sell and up-sell capabilities
  • Drag-and-drop of products to the shopping cart

Visitor Segmentation

Tap into a whole new customer segment – unknown site visitors. Whether they’re new visitors or returning customers who have not logged in, you’ll now be able to identify and target them with special promotions to convert browsers into buyers.


Expanded Rule-based Product Relations

Our rule-based product-relations functionality allows merchants to target specific customer segments with product recommendations. Pinpoint specific customers with up-sells, cross-sells and related products to create a more relevant shopping experience.


Auto-generation of Coupon Codes

Generate a set of unique coupon codes for each promotion you run and export the list of codes for offline distribution, email, newsletters and more. Easily manage and monitor coupon usage and generate detailed reports.


Multiple Wish Lists

Customers can save products to multiple wish lists and copy or move items from list to list. They can make their wish lists public so they’re searchable by anyone. And merchants can review them to learn about their customers’ wants and needs.


Layered Navigation Pricing Enhancement

We’ve introduced a new set of algorithms for price-layered navigation that provides much greater flexibility. Now you can display a range of prices that is based on having a similar number of products within each range, giving you better control of your customers’ search results, and helping your customers find what they’re looking for faster.


Customer Group Pricing

One price doesn’t always fit all. This tool allows you to create different price points for different customer groups, such as wholesalers and retailers. You can determine both base price and tiered price levels.


Add to Cart by SKU

Streamline the ordering process, especially for B2B customers, by enabling them to enter a list of SKUs without having to go into product pages. This simplifies large orders, recurring orders and ordering based on offline catalogs.


REST APIs Support

The new Magento REST API uses three-legged OAuth 1.0a protocol to allow applications to safely access Magento services. What this means for you? You can manage customers, customer addresses, sales orders, inventories and products using HTTP verbs (GET, POST, PUT, DELETE). Data requests and responses can be in XML or JSON format.

This initial version of the REST API supports the following functions:

  • Create/Retrieve/Update/Delete a simple product
  • Retrieve a list of orders and specific order information
  • Update/Retrieve catalog inventory
  • Create/Retrieve/Update/Delete complete customer information

European Union VAT-ID Validation

This feature facilitates the tax collection process for online businesses in the EU and greatly simplifies international B2B transactions by automatically applying the correct tax rules. Taxes can be calculated and charged according to VAT customer groups, based on customer shipping or billing addresses and VAT IDs.


EU Cookie Restriction

Our response to the recent EU Privacy and Electronic Communications Directive? A new cookie notification feature that simplifies the compliance process. Once enabled, a message at the top of the storefront informs site visitors about the cookie policy and prompts them to accept or decline.


CMS Page Hierarchy Enhancements

Managing your CMS hierarchy tree just got easier. Now you can add CMS pages to the navigation menu without custom development. You can also create, copy or delete different CMS hierarchy trees for each website and store view individually or en masse..


Backup and Rollback

Manage and schedule a variety of backup operations with the option to rollback the changes to reverse any modifications. This feature is particularly useful when testing new modules or customizations, or when upgrading to a new version of Magento. You can review specific customizations and their impact on the new code. (We do not recommend using this feature in your production environment.)

Three types of backup are supported:

  • System Backup
  • Database Backup
  • Database and Media Backup

Payment Bridge 1.1 Updates

Magento Secure Payment Bridge, our PA-DSS certified payment application, adds multiple new payment methods. In addition to our existing supported gateways – PayPal, and Payflow Pro – we are introducing support for the following new gateways:

  • Psi Gate
  • RBS Worldpay
  • Database and Media Backup
  • Braintree
  • First Data
  • Card Gate Plus
  • DIBS
  • eWay Direct
  • Ogone Directlink
  • Paybox
  • Payone
  • Sage Pay
  • CCAvenue

Supported by services provided by Braintree or, customers can also securely save their credit card information for future transactions in a “My Credit Cards” section in “My Account.” And with support from Kount, you can integrate fraud-screening services with your payment methods (requires separate agreement with Kount).



Now you can enable CAPTCHA functionality on your site to help prevent automated software from attempting fake logins. This auto-generated test ensures that the login is being attempted by a person and can be enabled in both the admin and customer login areas.

Meet Magento 2012 at Netherlands

This year Magento will pay another visit to The Netherlands for the conclusion of the European Magento Tour. The fourth Meet Magento conference in The Netherlands is taking place on May 29-30, 2012 and is organized by the Dutch Magento community. The event has become the most important yearly event for all Dutch users of the Magento platform, developers and partners.

On May 29th attendees will receive the “Magento Introduction” session aimed at organizations that have recently decided to create their online store with Magento. This session will help new Magento users kick start their project and serves as an excellent preparation for day two of the event.

On May 30th attendees will benefit from the Meet Magento conference day and expo from 9 am to 6 pm. The day will feature over 25 presentations on various Magento topics including marketing, business, performance and development. There will also be several English sessions for non-Dutch visitors.

If you’re in The Netherlands or doing business with Dutch Magento companies, you can’t afford to miss out on this event! More info can be found on .

Magento October 2011 Events Update

In the world of eCommerce every hour of every day means the possibility of revenue.
Learn how Magento can help your online business succeed.

Attend an eCommerce Forum sponsored by Magento and Magento Solution Partners to learn how Magento Enterprise can help you turn more browsers to buyers.

At these forums, eCommerce decision-makers will acquire a general understanding of who Magento is, what we do to empower the eCommerce ecosystem and how we can help you build a profitable online business.

Event Highlights

  • Overview and demonstration of the Magento Enterprise eCommerce solution
  • Examples of eCommerce success using Magento Enterprise
  • Networking – talk to Magento personnel, a Magento Solution Partner and other companies with the same questions and ambitions as you

These events are free of charge but for planning purposes, registration is required.

Calendar of Events

Date Location Check-in Event Partner
Seattle Marriott Waterfront
2100 Alaskan Way
11:30AM 12:00PM – 3:00PM
Oct 10 PARIS
Hôtel Novotel Vaugirard
257 rue de Vaugirard
75015 PARIS
9:00AM 10:00AM – 2:00PM
Hotel Mercure Nantes Central
4 Rue du Couedic
9:00AM 10:00AM – 2:00PM
Market Bar Chicago
1113 West Randolph
Chicago, IL 60607
6:00PM 6:30PM – 9:00PM
Drinks and food
GORILLA Register
Hotel Mercure Bordeaux Centre
5 rue Robert Lateulade
9:00AM 10:00AM – 2:00PM
2626 East 82nd Street
Suite 320
8:00AM 8:30AM – 11:30AM
Continental Breakfast
Dave and Busters, 11775 Commons Drive
Springdale, OH
5:00PM 5:30PM – 7:30PM
Drinks and Appetizers
499 Carolina Street
Potrero Hill neighborhood
12:00PM 12:30PM – 3:00PM
Lunch (Vegetarian option available)

Past Events

Date Location Check-in Event Partner
177 Huntington Avenue
13th Floor
6:00PM 6:30PM – 8:00PM
6:00PM 6:30PM – 9:00PM
55 North Arizona
9:00AM 9:30AM – 11:00AM
Thanksgiving Point
3003 N. Thanksgiving Way, Utah Room
Lehi, UT 84043
8:30AM 9:00AM – 12:00PM
Oct 04 MIAMI
Axis Building
79 SW 12 St
Miami FL, 33130
1:30PM 2:00PM – 5:00PM
  • Don’t see a city near you?
    Let us know where you want us to come next.
    Send an email to: with “eCommerce Forum” in the subject line

Introducing Magento Developer Certification Program

For years, the best Magento developers have asked for a way to establish their credentials and market their skills to the growing universe of Magento merchants and Solution Partners. At the same time, merchants and Solution Partners have wanted a more reliable means of identifying Magento developers with the expertise and experience needed to execute their projects.
To the entire Magento community, we would like to say 1) thank you for your patience, and 2) Magento Developer Certification is finally here!
If you’d like be one of the first Magento developers to receive the certification, here is what you need to know:

What is Magento Developer Certification?

  • An objective, professional mid-advanced level certification geared toward professional developers that have real-world experience with Magento implementations
  • Sponsored by Magento
  • Created by Magento developer gurus with the input of experts from the global Magento ecosystem
  • Developed using the most rigorous industry standards and methodologies for exam development, ensuring exam’s accuracy in evaluating relevant skills

Why is this great news for all?

Magento Developer Certification benefits all members of the global Magento ecosystem:

  • Individual Developers:
    • Be recognized for your Magento skills
    • Build credibility with your peers and network
    • Differentiate yourself from the competition
    • Increase your value and income
    • Gain additional knowledge through preparation and training
    • Promote your credentials via use of the Magento Certified Developer logo on your CV or Résumé
  • Hiring Managers:
    • Easily identify qualified developers
    • Find Magento partners that have teams of Magento Certified Developers
  • Solution Partners:
    • Ensure your developers have the right skills
    • Showcase your team’s qualifications

Developers can take the exam at Innovate!

During the Innovate Developers Conference at San Francisco’s Moscone Center on October 12th – 13th, developers will have the first-ever opportunity to earn Magento Developer Certification by taking a beta version of the exam. Magento Developer Certification is the gold standard for credibility among Magento developers, partners and merchants.

How much does it cost?

Participants in the initial beta test will pay a reduced rate of $150, a $110 savings (regular price $260) for the exam. However, space is limited so register for your exam in advance to guarantee your spot! Space will be granted on a first-come, first-served basis.

How do I sign up?

Step 1: Register for the Innovate Conference.
Step 2: Register for the exam.

When do I find out about the results?

Participating developers will be notified by email 4-6 weeks after the conference. Developers who pass the exam based on the Beta exam analysis will achieve the Magento Certified Developer or Magento Certified Developer Plus credential.

What if I can’t make it to Innovate?

Starting in December, developers will be able to take the Magento Developer Certification exam at one of 10,000+ testing sites worldwide. Please check for updates here.

Magento encourages all developers to take advantage of this rewarding opportunity. If you have additional questions, please send an email to with ‘certification’ in the subject line.

Hope to see you at Innovate!

After a long wait Magento CE Version Stable – Now Available

We are excited to announce the availability of Magento CE Version Stable for download and upgrade.

The latest release is packed with new features as well as valuable code contributions from various community members around the world.

Some of the key new features in this release include:

  • Persistent shopping – retain shopping cart content for customers across user sessions, browsers and devices.
  • Minimum Advertised Price (MAP)
  • Refactoring multiple database

To see the full list of features and fixed issues please visit our release notes page. Diff files are available here.

Please Note: We do NOT recommend upgrading a production installation of Magento directly. Please backup database and all files before upgrading. Please make sure to check file permission before trying to upgrade through your Magento Connect Manager.

Please report all issues with this release in the bug tracker.

Magento Solutions for Google Base using Google Shopping APIs


Greetings Magento Community Developers and Users,

As many of you are aware, as of June 1st 2011, Google Base Data API has been fully retired and merchants who are using Google Base APIs to upload products to Google should migrate to new extension Google Content API Extension.

Google Shopping API consists of two parts: Content and Search; Content API allows insert, update, delete and retrieve product’s info from Google; Search API allows search by uploaded items and it is not part of Magento’s integration.

This new extension covers the new Content API logic and it is designed for managing merchant item being uploaded to Google Base. For Magento, this simply replaces the current Google Base API logic.

Magento users can reference the following user guide documentation for additional information and instructions on how to utilize Google Shopping APIs for items with your Magento store.

Magento developers can reference the following technical overview documentation on Magento integration with Google Shopping APIs.

As always feel free to contact Rhonda or Baruch directly if you have any questions.

Magento Acquire by eBay

eBay Agrees to Acquire Magento

The past several years have been an amazing journey for Magento, as we’ve grown from a new open source platform into an eCommerce leader. Along the way, we’ve built not only a platform, but a company and a worldwide community. Together, we’ve identified opportunities, taken risks, innovated, struggled, succeeded, and changed the face of eCommerce. Today marks a milestone on this journey as we announce the most exciting news in our company’s history.

Magento has reached an agreement to be acquired by eBay Inc. We believe this move will open incredible opportunities for the entire Magento ecosystem.

The Big Picture

Why is this acquisition so exciting for all of us? eBay is evolving to become a strategic commerce partner focused on delivering new ways for merchants of all sizes to drive innovation. As a centerpiece of this strategy, they are building a global, open commerce platform that leverages the worldwide developer community. And Magento will be at the core of this new, open commerce platform, called “X.Commerce.”

Magento & eBay

As many of you know, Magento has had a relationship with eBay for some time. In March 2010, eBay became our first outside investor. Over the past year, eBay has gotten to know our platform, our culture, and our community. They have experienced the passion of the Magento ecosystem, and they are eager to harness the power of this ecosystem to create the next generation of eCommerce innovation.

Magento Forward: The Details

How will this acquisition impact our organization, customers and partners? It’s too soon to know all the details, but there are a few things we know. Magento will continue to operate out of LA, with Yoav Kutner and me as its leaders following the closing. We’ll continue building our team and our enhancing our product line, including the Magento Community, Enterprise, and Mobile Editions, as well as Magento Go and the Magento Go Platform. And we’ll continue strengthening our training, education, packaged consulting services and support efforts around the world.

Through it all, we’ll be collaborating with our colleagues at eBay on developing the X.Commerce platform and defining the next generation of eCommerce innovation.

Yoav and I recorded a short video message for the community – you can find it on our blog, along with FAQs about the pending acquisition.

Creating The Future Together

To all the members the Magento family: we thank you for all the passion, expertise and hard work that you’ve invested in Magento. Thanks to you, Magento finds itself exactly where we’ve always aimed to be: at the core of eCommerce. We are thrilled to become part of a larger organization that recognizes – as we always have – that the future of eCommerce is global, innovative and open. We look forward to creating that future with all of you.

Warm Regards,

Roy Rubin
Co-Founder and CEO, Magento

Magento Go: Their Progress and Mission

Magento Go

Posted by RoyRubin on Magento Blog

Magento Go is really going places

Magento Go is really going places

At Magento, we’re always looking towards the future of eCommerce. We’re constantly moving forward so quickly that we need to periodically pause and reflect on where we are today and remind ourselves just how much we owe our success to our customers, partners, community and the entire Magento ecosystem. With a few months under our belt since the launch of Magento Go, we thought this was the perfect time to look back on the unbelievable achievements you have realized thus far.

While Magento Go is still very young, the results thus far have been astounding. Tens of thousands of you have visited the site to explore, set up trials and sign-on to Go to build stores of your own. We’re seeing some very cool and innovative stores, and we’re planning to begin showcasing them in the near future.

We are committed to doing everything we can to satisfy our customers, and have been listening closely to your comments. Through your much appreciated feedback, the product itself is getting better every day and we intend to do everything we can to ensure your ongoing success. We’re continuously investing in Magento Go and quickly rolling out updates and new features. Here are just a few of our latest updates and additions to Magento Go:

Latest updates on Magento Go:

Latest updates on Magento Go:

Store Design – Themes and Design Services

Many merchants have asked for help with Magento Go store design. We took your comments into consideration and have developed two new solutions to make it even easier to customize your Magento Go store. First, we are actively adding many new store themes into Magento Go so you will have a variety of options to choose from when setting up your stores. In addition, we’ve signed up some incredibly talented design partners who can help you create a custom look and feel for your Magento Go store. A preliminary list of partners is now featured on the site.

Payment Gateways

One of the most frequent requests we receive from merchants is to expand our portfolio of supported payment methods and gateways. This week we will announce the availability of SagePay for Magento Go. SAGE PAY is the UK’s largest independent payment service provider, processing millions of secure payments every month for over 33,000 businesses, from start-ups through to major online, consumer, and business brands.

Magento Go Platform

Soon we will be launching the Magento Go Platform which will allow developers to build, host and deploy custom applications for Magento Go. With the launch of this platform, you’ll be able to easily integrate a variety of apps including feature enhancements, marketing, analytic and accounting apps (among many others) from our partners and developers into your stores directly. Last week the Magento Go Platform entered beta and it has received amazing feedback from our beta testers.

We’ve come a long way since the initial launch just a few weeks ago, but we can’t wait to see just how far you can take Magento Go. We want to extend a very special thank you for your continued support and ask you to stay tuned for more to come! We couldn’t be more excited!