• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Vulnerability in Magento

SQL Injection in Magento Core

March 28, 2019Marc-Alexandre Montpas

Security Risk: Very Easy / Remote

DREAD Score: 8.8

Vulnerability: SQL Injection

Patched Version: 1.9.4.1 / 1.14.4.1 / 2.1.17 / 2.2.8 / 2.3.1

764
SHARES
FacebookTwitterSubscribe

Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.

To be exploited, the majority of these vulnerabilities require the attacker to be authenticated on the site and have some level of privilege.

One of the bugs listed includes an SQL Injection vulnerability which can be exploited without any form of privilege or authentication. Given the sensitive nature of the data Magento ecommerce sites handle on a daily basis, this is a security threat that should be patched by affected site owners as soon as possible.

Am I At Risk?

As mentioned in the official advisory, this issue affects sites using both the Open Source or Commercial version of the software. The affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, 2.3 prior to 2.3.1, Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.

The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites.

Technical Details

Due to the risk this vulnerability represents, and the fact we are not seeing attacks in the wild yet, we will refrain from publishing any technical details for the time being.

Our team reversed the official patch and successfully created a working proof of concept exploit for internal testing and monitoring. We will keep this blog post updated if we see any new developments.

Indicators of Compromise

You can check your access_log file for multiple hits to one of the following paths:

  • /catalog/product/frontend_action_synchronize
  • /catalog/product_frontend_action/synchronize

An occasional hit may indicate a legitimate request, but more than a couple of dozen hits from the same IP in a few minutes should be considered suspicious.

Patch As Soon As Possible

SQL Injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL). Through this vulnerability they can retrieve sensitive data from an affected site’s database, including usernames and password hashes.

Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

Keeping CMS’, themes, and plugins up to date with the latest patches are the most crucial steps in maintaining a websites security. To protect against this vulnerability, we strongly encourage Magento users to update their sites to the latest version of the branch they are using; either 1.9.4.1, 1.14.4.1, 2.3.1, 2.2.8, or 2.1.17.

In the event that you are unable to update immediately, you can virtually patch the vulnerability with a web application firewall (WAF).

764
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability DisclosureTags: Black Hat Tactics, SQL Injection, XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

How to Clean a Hacked Website Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.