cancel
Showing results for 
Search instead for 
Did you mean: 

Mage_ProductAlert can generate performance and business logic issue/hack

SOLVED

Mage_ProductAlert can generate performance and business logic issue/hack

Dear Magento,

 

I think this topic should be started here because, from my point of view, it relates to the security and performance part of a platform.

 

I recently download 1.9.3.7 CE version (think the EE version has it too) and it still has this method: 

 

 public function testObserverAction()
{
$object = new Varien_Object();
$observer = Mage::getSingleton('productalert/observer');
$observer->process($object);
}

If you will check it, you will see that this controller action can be executed by any logged in customer and if a stockt/price alert notification was enabled it can generate an extra load on the system and interrupt into the business process.

 

The discussed method will be executed if a customer just will be logged in and execute <base_url>/productalert/add/testObserver URL. Customer will pass verification in the method 

Mage_ProductAlert_AddController::preDispatch()

and after that will create an observer object. The process method of it will be called after that.

 

 

    /**
     * Run process send product alerts
     *
     * @return Mage_ProductAlert_Model_Observer
     */
    public function process()
    {
        $email = Mage::getModel('productalert/email');
        /* @var $email Mage_ProductAlert_Model_Email */
        $this->_processPrice($email);
        $this->_processStock($email);
        $this->_sendErrorEmail();

        return $this;
    }

The main problem, as for me, starts here. If a stock or price notification was enabled, two protected methods ($this->_processPrice($email) and $this->_processStock($email)) will run getCollection(). For example,$this->_processPrice($email)

 

$collection = Mage::getModel('productalert/price')
                    ->getCollection()
                    ->addWebsiteFilter($website->getId())
                    ->setCustomerOrder();

 

 and this is not so good because of an extra call to the database which will take time at any case. And if the $collection will be not empty emails will be sent in the loop below to subscribed customers. This fact is not so good too because those emails shouldn't be sent by random customers. Also, this fact can generate more problems if this method will be called by N-amount of customers. Something similar to the DDoS attack.

 

From my point of view, this method Mage_ProductAlert_AddController::testObserverAction() should be completely removed. It allows customers affect performance (even in a small amount) and run code which is responsible for a business logic part.

 

P.S.:

Can you, please, describe the best way for reporting things like this?

 

Best regards,

Alex

2 REPLIES

Re: Mage_ProductAlert can generate performance and business logic issue/hack

As it could potentially results in a DoS attack, it is recommended to report it to security@magento.com. It is outside the scope of our bug bounty but we do welcome such reports. 

Re: Mage_ProductAlert can generate performance and business logic issue/hack

Thank you, @pikaminskimage! I will report this issue to the security centre.