Sucuri Blog

Website Security News

Vulnerability in Magento

SQL Injection in Magento Core

Security Risk: Very Easy / Remote

DREAD Score: 8.8

Vulnerability: SQL Injection

Patched Version: 1.9.4.1 / 1.14.4.1 / 2.1.17 / 2.2.8 / 2.3.1

Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.

To be exploited, the majority of these vulnerabilities require the attacker to be authenticated on the site and have some level of privilege.

One of the bugs listed includes an SQL Injection vulnerability which can be exploited without any form of privilege or authentication. Given the sensitive nature of the data Magento ecommerce sites handle on a daily basis, this is a security threat that should be patched by affected site owners as soon as possible.

Am I At Risk?

As mentioned in the official advisory, this issue affects sites using both the Open Source or Commercial version of the software. The affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, 2.3 prior to 2.3.1, Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.

The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites.

Technical Details

Due to the risk this vulnerability represents, and the fact we are not seeing attacks in the wild yet, we will refrain from publishing any technical details for the time being.

Our team reversed the official patch and successfully created a working proof of concept exploit for internal testing and monitoring. We will keep this blog post updated if we see any new developments.

Indicators of Compromise

You can check your access_log file for multiple hits to one of the following paths:

  • /catalog/product/frontend_action_synchronize
  • /catalog/product_frontend_action/synchronize

An occasional hit may indicate a legitimate request, but more than a couple of dozen hits from the same IP in a few minutes should be considered suspicious.

Patch As Soon As Possible

SQL Injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL). Through this vulnerability they can retrieve sensitive data from an affected site’s database, including usernames and password hashes.

Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

Keeping CMS’, themes, and plugins up to date with the latest patches are the most crucial steps in maintaining a websites security. To protect against this vulnerability, we strongly encourage Magento users to update their sites to the latest version of the branch they are using; either 1.9.4.1, 1.14.4.1, 2.3.1, 2.2.8, or 2.1.17.

In the event that you are unable to update immediately, you can virtually patch the vulnerability with a web application firewall (WAF).

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions