As some questions have come up, we wanted to provide some clarification to the blog post “Important Security Update – Zend Platform Vulnerability” posted of July, 5, 2012.
As outlined in that post, all Magento merchants on a deployed platform are strongly recommended to protect themselves from the Zend Framework vulnerability.
We have added further instructions on how to protect your business. Please apply the solution below that corresponds to your version of Magento.
Magento Enterprise Edition
- As best practice, we recommend that all Enterprise Edition merchants upgrade if possible to the latest release (v188.8.131.52) to take advantage of the latest fixes and features.
- Depending on your platform version, please find the appropriate solution for you:
|YOUR CURRENT VERSION||RECOMMENDED SOLUTION|
|EE 184.108.40.206+||Upgrade to the latest release (Navigate to Downloads > Magento Enterprise Edition > Release – account log-in is required)|
|EE 220.127.116.11 – 1.11.X.X||Apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Enterprise Edition > Patches & Support – account log-in is required)|
|Versions prior to EE 18.104.22.168||Implement the workaround (instructions below)|
Magento Professional Edition
- All versions of Professional Edition, please apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Professional Edition > Patches & Support – account log-in is required)
Magento Community Edition
- As a best practice, we recommend that all Community Edition merchants upgrade if possible to the latest release (v22.214.171.124) to take advantage of the latest fixes and features.
- Depending on your platform version, please find the appropriate solution:
|YOUR CURRENT VERSION||RECOMMENDED SOLUTION|
|CE 126.96.36.199+||Upgrade to the latest release|
|CE 188.8.131.52 – 1.6.X.X||Apply this patch|
|CE 184.108.40.206||Apply this patch|
|CE 220.127.116.11 – 18.104.22.168||Apply this patch|
|Versions prior to CE 22.214.171.124||Implement the workaround (instructions below)|
Magento Go customers will not need to make any updates. All fixes will be applied automatically on the backend.
Instructions on Applying the Patch
- 1. Go to the root of your Magento root directory: cd /home/mystore/public_html
- 2. wget –O patch_name.patch
- 3. Download the patch from the provided link appropriate for your version (this line allows you to do it from the Unix command prompt)
- 4. Apply the patch: patch -p0 < patch_name.patch
*Note that if you are running more than one web server, the patch will need to be applied to all the servers.
If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.
Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.
Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
- 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
- 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
- 3. Open XmlrpcController.php for editing.
- 4. Comment out or delete the body of the method: public indexAction()
- 5. Save the changes.
As some of our experienced community members have discovered, the development fix in CE 126.96.36.199 and EE 188.8.131.52 differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:
We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.
Merchants have been asking for a fast and secure way to integrate more business applications within Magento. We’ve met this request by introducing the Magento REST API as part of the Magento Enterprise 1.12 and Community 1.7 releases.
Noteworthy benefits of the REST API include simplicity, ease of testing and troubleshooting, and better performance. It allows you to manage customers, customer addresses, sales orders, inventories and products using HTTP verbs such as GET, POST, PUT and DELETE. Data requests and responses can be in XML or JSON format.
REST resources are simply the entities or identities that are exposed to the developer. REST defines the identity of the resource via the URI (uniform resource identifier). Each resource has a unique URL address and any interaction with a resource takes place at its URI. The following resources are supported in CE 184.108.40.206.
- § Products: Allows you to retrieve the list of products, create a simple product, and update or delete a product.
- § Product Categories: Allows you to retrieve the list of categories assigned to a product and assign or unassign a category to a product.
- § Product Websites: Allows you to retrieve the list of websites assigned to a product and assign or unassign a website to a product
- § Customers: Allows you to retrieve the list of customers and create, update, or delete a customer.
- § Customer Addresses: Allows you to retrieve the list of customer addresses, and create, update, or delete an address.
- § Inventory: Allows you to retrieve the list of stock items and update a stock item.
- § Sales Orders: Allows you to retrieve the list of sales orders and specific order information.
- § Sales Order Items: Allows you to retrieve the items for a specific order.
- § Sales Order Addresses: Allows you to retrieve billing and shipping addresses for an order.
- § Sales Order Comments: Allows you to retrieve comments for a specific order.
Preparing to Use REST API with Magento
From the Magento store admin panel:
- § Set up permissions to operate with resources for the three different user types: admin, customer, and guest. The admin is the backend logged-in user, the customer is the frontend logged-in user, and the guest is a non-logged-in frontend user.
- § Configure which attributes will be allowed to retrieve or update for the different user types
- § Register the third-party application (setting up consumer) and provide the information to the third-party application.
For a more detailed explanation with sample data, check out our wiki page. As always, we welcome your feedback and are eager to help with any issues you may encounter. Please use our bug tracker and choose the Webservices API from the Category selection.
Magento had announced the latest Magento releases: Magento Enterprise 1.12 and Community 1.7. The recent enhancements to powerful eCommerce offerings help merchants provide a more personalized shopping experience for their customers.
Benefits include easier order placement, mobile optimization and multiple wish lists. These enhancements give merchants greater potential to boost consumer engagement, increase conversions and transaction size, and foster brand loyalty.
All merchants, including those running B2B businesses, can take advantage of improved customer segmentation and ordering capabilities. While those operating in Europe can use our new features to stay compliant with EU regulations.
Of course, latest releases have lots in store for developers too, including a new API, and backup and rollback systems.
Read on to learn about the key features in our new releases and how they can benefit you.
Quickly and easily create a storefront optimized for mobile devices so customers can shop even when they’re on the go. This mobile interface uses HTML5 technology and supports iPhone, Android and Mobile Opera browsers. It includes out-of-the-box features such as:
Tap into a whole new customer segment – unknown site visitors. Whether they’re new visitors or returning customers who have not logged in, you’ll now be able to identify and target them with special promotions to convert browsers into buyers.
Expanded Rule-based Product Relations
Our rule-based product-relations functionality allows merchants to target specific customer segments with product recommendations. Pinpoint specific customers with up-sells, cross-sells and related products to create a more relevant shopping experience.
Auto-generation of Coupon Codes
Generate a set of unique coupon codes for each promotion you run and export the list of codes for offline distribution, email, newsletters and more. Easily manage and monitor coupon usage and generate detailed reports.
Multiple Wish Lists
Customers can save products to multiple wish lists and copy or move items from list to list. They can make their wish lists public so they’re searchable by anyone. And merchants can review them to learn about their customers’ wants and needs.
Layered Navigation Pricing Enhancement
We’ve introduced a new set of algorithms for price-layered navigation that provides much greater flexibility. Now you can display a range of prices that is based on having a similar number of products within each range, giving you better control of your customers’ search results, and helping your customers find what they’re looking for faster.
Customer Group Pricing
One price doesn’t always fit all. This tool allows you to create different price points for different customer groups, such as wholesalers and retailers. You can determine both base price and tiered price levels.
Add to Cart by SKU
Streamline the ordering process, especially for B2B customers, by enabling them to enter a list of SKUs without having to go into product pages. This simplifies large orders, recurring orders and ordering based on offline catalogs.
REST APIs Support
The new Magento REST API uses three-legged OAuth 1.0a protocol to allow applications to safely access Magento services. What this means for you? You can manage customers, customer addresses, sales orders, inventories and products using HTTP verbs (GET, POST, PUT, DELETE). Data requests and responses can be in XML or JSON format.
This initial version of the REST API supports the following functions:
European Union VAT-ID Validation
This feature facilitates the tax collection process for online businesses in the EU and greatly simplifies international B2B transactions by automatically applying the correct tax rules. Taxes can be calculated and charged according to VAT customer groups, based on customer shipping or billing addresses and VAT IDs.
EU Cookie Restriction
CMS Page Hierarchy Enhancements
Managing your CMS hierarchy tree just got easier. Now you can add CMS pages to the navigation menu without custom development. You can also create, copy or delete different CMS hierarchy trees for each website and store view individually or en masse..
Backup and Rollback
Manage and schedule a variety of backup operations with the option to rollback the changes to reverse any modifications. This feature is particularly useful when testing new modules or customizations, or when upgrading to a new version of Magento. You can review specific customizations and their impact on the new code. (We do not recommend using this feature in your production environment.)
Three types of backup are supported:
Payment Bridge 1.1 Updates
Magento Secure Payment Bridge, our PA-DSS certified payment application, adds multiple new payment methods. In addition to our existing supported gateways – PayPal, Authorize.net and Payflow Pro – we are introducing support for the following new gateways:
Supported by services provided by Braintree or Authorize.net, customers can also securely save their credit card information for future transactions in a “My Credit Cards” section in “My Account.” And with support from Kount, you can integrate fraud-screening services with your payment methods (requires separate agreement with Kount).
Now you can enable CAPTCHA functionality on your site to help prevent automated software from attempting fake logins. This auto-generated test ensures that the login is being attempted by a person and can be enabled in both the admin and customer login areas.
This year Magento will pay another visit to The Netherlands for the conclusion of the European Magento Tour. The fourth Meet Magento conference in The Netherlands is taking place on May 29-30, 2012 and is organized by the Dutch Magento community. The event has become the most important yearly event for all Dutch users of the Magento platform, developers and partners.
On May 29th attendees will receive the “Magento Introduction” session aimed at organizations that have recently decided to create their online store with Magento. This session will help new Magento users kick start their project and serves as an excellent preparation for day two of the event.
On May 30th attendees will benefit from the Meet Magento conference day and expo from 9 am to 6 pm. The day will feature over 25 presentations on various Magento topics including marketing, business, performance and development. There will also be several English sessions for non-Dutch visitors.
If you’re in The Netherlands or doing business with Dutch Magento companies, you can’t afford to miss out on this event! More info can be found on www.meet-magento.nl .
In the world of eCommerce every hour of every day means the possibility of revenue.
Learn how Magento can help your online business succeed.
Attend an eCommerce Forum sponsored by Magento and Magento Solution Partners to learn how Magento Enterprise can help you turn more browsers to buyers.
At these forums, eCommerce decision-makers will acquire a general understanding of who Magento is, what we do to empower the eCommerce ecosystem and how we can help you build a profitable online business.
- Overview and demonstration of the Magento Enterprise eCommerce solution
- Examples of eCommerce success using Magento Enterprise
- Networking – talk to Magento personnel, a Magento Solution Partner and other companies with the same questions and ambitions as you
These events are free of charge but for planning purposes, registration is required.
Calendar of Events
Seattle Marriott Waterfront
2100 Alaskan Way
|11:30AM||12:00PM – 3:00PM
SIT DOWN LUNCH
Hôtel Novotel Vaugirard
257 rue de Vaugirard
|9:00AM||10:00AM – 2:00PM
COFFEE & LUNCH
Hotel Mercure Nantes Central
4 Rue du Couedic
44000 – NANTES, FRANCE
|9:00AM||10:00AM – 2:00PM
COFFEE & LUNCH
Market Bar Chicago
1113 West Randolph
Chicago, IL 60607
|6:00PM||6:30PM – 9:00PM
Drinks and food
Hotel Mercure Bordeaux Centre
5 rue Robert Lateulade
33000 BORDEAUX, FRANCE
|9:00AM||10:00AM – 2:00PM
COFFEE & LUNCH
|Oct 26||BLOOMINGTON, MN
2626 East 82nd Street
|8:00AM||8:30AM – 11:30AM
|Oct 27||CINCINNATI, OH
Dave and Busters, 11775 Commons Drive
|5:00PM||5:30PM – 7:30PM
Drinks and Appetizers
|Nov 3||SAN FRANCISCO
499 Carolina Street
Potrero Hill neighborhood
|12:00PM||12:30PM – 3:00PM
Lunch (Vegetarian option available)
177 Huntington Avenue
|6:00PM||6:30PM – 8:00PM
|Sep 15||TORONTO, ONTARIO
145 JOHN ST
|6:00PM||6:30PM – 9:00PM
|Sep 29||CHANDLER, AZ
55 North Arizona
|9:00AM||9:30AM – 11:00AM
|Oct 04||SALT LAKE CITY
3003 N. Thanksgiving Way, Utah Room
Lehi, UT 84043
|8:30AM||9:00AM – 12:00PM
79 SW 12 St
Miami FL, 33130
|1:30PM||2:00PM – 5:00PM
|DIGITAL EVOLUTION GROUP|
- Don’t see a city near you?
Let us know where you want us to come next.
Send an email to: email@example.com with “eCommerce Forum” in the subject line
|For years, the best Magento developers have asked for a way to establish their credentials and market their skills to the growing universe of Magento merchants and Solution Partners. At the same time, merchants and Solution Partners have wanted a more reliable means of identifying Magento developers with the expertise and experience needed to execute their projects.|
|To the entire Magento community, we would like to say 1) thank you for your patience, and 2) Magento Developer Certification is finally here!|
|If you’d like be one of the first Magento developers to receive the certification, here is what you need to know:|
What is Magento Developer Certification?
Why is this great news for all?
Magento Developer Certification benefits all members of the global Magento ecosystem:
Developers can take the exam at Innovate!
During the Innovate Developers Conference at San Francisco’s Moscone Center on October 12th – 13th, developers will have the first-ever opportunity to earn Magento Developer Certification by taking a beta version of the exam. Magento Developer Certification is the gold standard for credibility among Magento developers, partners and merchants.
How much does it cost?
Participants in the initial beta test will pay a reduced rate of $150, a $110 savings (regular price $260) for the exam. However, space is limited so register for your exam in advance to guarantee your spot! Space will be granted on a first-come, first-served basis.
How do I sign up?
When do I find out about the results?
Participating developers will be notified by email 4-6 weeks after the conference. Developers who pass the exam based on the Beta exam analysis will achieve the Magento Certified Developer or Magento Certified Developer Plus credential.
What if I can’t make it to Innovate?
Starting in December, developers will be able to take the Magento Developer Certification exam at one of 10,000+ testing sites worldwide. Please check for updates here.
Magento encourages all developers to take advantage of this rewarding opportunity. If you have additional questions, please send an email to firstname.lastname@example.org with ‘certification’ in the subject line.
Hope to see you at Innovate!
We are excited to announce the availability of Magento CE Version 220.127.116.11 Stable for download and upgrade.
The latest release is packed with new features as well as valuable code contributions from various community members around the world.
Some of the key new features in this release include:
- Persistent shopping – retain shopping cart content for customers across user sessions, browsers and devices.
- Minimum Advertised Price (MAP)
- Refactoring multiple database
Please Note: We do NOT recommend upgrading a production installation of Magento directly. Please backup database and all files before upgrading. Please make sure to check file permission before trying to upgrade through your Magento Connect Manager.
Please report all issues with this release in the bug tracker.
Greetings Magento Community Developers and Users,
As many of you are aware, as of June 1st 2011, Google Base Data API has been fully retired and merchants who are using Google Base APIs to upload products to Google should migrate to new extension Google Content API Extension.
Google Shopping API consists of two parts: Content and Search; Content API allows insert, update, delete and retrieve product’s info from Google; Search API allows search by uploaded items and it is not part of Magento’s integration.
This new extension covers the new Content API logic and it is designed for managing merchant item being uploaded to Google Base. For Magento, this simply replaces the current Google Base API logic.
Magento users can reference the following user guide documentation for additional information and instructions on how to utilize Google Shopping APIs for items with your Magento store.
Magento developers can reference the following technical overview documentation on Magento integration with Google Shopping APIs.
Posted by RoyRubin on Magento Blog
Magento Go is really going places
At Magento, we’re always looking towards the future of eCommerce. We’re constantly moving forward so quickly that we need to periodically pause and reflect on where we are today and remind ourselves just how much we owe our success to our customers, partners, community and the entire Magento ecosystem. With a few months under our belt since the launch of Magento Go, we thought this was the perfect time to look back on the unbelievable achievements you have realized thus far.
While Magento Go is still very young, the results thus far have been astounding. Tens of thousands of you have visited the site to explore, set up trials and sign-on to Go to build stores of your own. We’re seeing some very cool and innovative stores, and we’re planning to begin showcasing them in the near future.
We are committed to doing everything we can to satisfy our customers, and have been listening closely to your comments. Through your much appreciated feedback, the product itself is getting better every day and we intend to do everything we can to ensure your ongoing success. We’re continuously investing in Magento Go and quickly rolling out updates and new features. Here are just a few of our latest updates and additions to Magento Go:
Latest updates on Magento Go:
Store Design – Themes and Design Services
Many merchants have asked for help with Magento Go store design. We took your comments into consideration and have developed two new solutions to make it even easier to customize your Magento Go store. First, we are actively adding many new store themes into Magento Go so you will have a variety of options to choose from when setting up your stores. In addition, we’ve signed up some incredibly talented design partners who can help you create a custom look and feel for your Magento Go store. A preliminary list of partners is now featured on the site.
One of the most frequent requests we receive from merchants is to expand our portfolio of supported payment methods and gateways. This week we will announce the availability of SagePay for Magento Go. SAGE PAY is the UK’s largest independent payment service provider, processing millions of secure payments every month for over 33,000 businesses, from start-ups through to major online, consumer, and business brands.
Magento Go Platform
Soon we will be launching the Magento Go Platform which will allow developers to build, host and deploy custom applications for Magento Go. With the launch of this platform, you’ll be able to easily integrate a variety of apps including feature enhancements, marketing, analytic and accounting apps (among many others) from our partners and developers into your stores directly. Last week the Magento Go Platform entered beta and it has received amazing feedback from our beta testers.
We’ve come a long way since the initial launch just a few weeks ago, but we can’t wait to see just how far you can take Magento Go. We want to extend a very special thank you for your continued support and ask you to stay tuned for more to come! We couldn’t be more excited!