CVE-2015-3458

Name of the Vulnerable Software and Affected Versions Magento Community Edition (CE) version 1.9.1.0 Magento Enterprise Edition (EE) version 1.14.1.0

Description The issue is related to the fetchView function in the Mage Core Block Template Zend class, which does not restrict the stream wrapper used in a template path. This allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function. It is unclear whether this issue crosses privilege boundaries, as administrators may already have privileges to include arbitrary files.

Recommendations For Magento Community Edition (CE) version 1.9.1.0, consider restricting access to the fetchView function in the Mage Core Block Template Zend class until a patch is available. For Magento Enterprise Edition (EE) version 1.14.1.0, consider restricting access to the fetchView function in the Mage Core Block Template Zend class until a patch is available. As a temporary workaround, consider disabling the use of the phar:// stream wrapper in template paths to minimize the risk of exploitation.