Re: SQL injection vulnerability

MedusaDelft · ‎04-19-2018

Hi all,

I recently took over the hosting of a 1.7.0.2 shop. I have patched this shop as it was missing several patches. For some reason I had to do it manually, as running the script did not work (although I did not get any messages). Maybe this was due to line differences. It took a long time, but the magento security scan passed.

Just last week, the site was scanned by a third party for weaknesses. It reported two high risk sql injection vulnerabilities. It has to do with price[to] and price[from] when using the catalogsearch/advanced/result.

I've looked through all patches I applied (maybe I've missed something), but I could not found anything related with prices. Is this a known problem and more important, how can I fix this?

Thank you in advance for your help!

Best regards,

Maurice.

Edit: I have found out it has to do with the UTF8-character: e309

The query-string added is: ?name=John&description=1&short_description=1&sku=1&merk=1&price%5Bto%5D=1e309&price%5Bfrom%5D=1&tax_class_id%5B%5D=0

which works when the e309 character is omitted. It also does not work when the character is set after any other parameter except price.

MedusaDelft · ‎04-20-2018

On suggestion, I've changed ->getQuery() in ->getParams() in the AdvancedController, but that makes no difference.

To make the problem more clear, this url is used and generates the error log that follows:

/index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1

And the error log:

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'INF' in 'where clause'

Trace:
#0 /httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /httpdocs/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)
#3 /httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT DISTINCT...', Array)
#4 /httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(419): Zend_Db_Adapter_Pdo_Abstract->query('SELECT DISTINCT...', Array)
#5 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array)
#6 /httpdocs/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array)
#7 /httpdocs/app/code/core/Mage/CatalogSearch/Block/Advanced/Result.php(90): Varien_Data_Collection_Db->getSize()
#8 /httpdocs/app/design/frontend/default/bqp/template/catalogsearch/advanced/result.phtml(31): Mage_CatalogSearch_Block_Advanced_Result->getResultCount()
#9 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#10 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#11 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#12 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#13 /httpdocs/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml()
#14 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Text_List->_toHtml()
#15 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(586): Mage_Core_Block_Abstract->toHtml()
#16 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(530): Mage_Core_Block_Abstract->_getChildHtml('content', true)
#17 /httpdocs/app/design/frontend/default/bqp/template/page/2columns-right.phtml(56): Mage_Core_Block_Abstract->getChildHtml('content')
#18 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#19 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#20 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#21 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#22 /httpdocs/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml()
#23 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput()
#24 /httpdocs/app/code/core/Mage/CatalogSearch/controllers/AdvancedController.php(59): Mage_Core_Controller_Varien_Action->renderLayout()
#25 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_CatalogSearch_AdvancedController->resultAction()
#26 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('result')
#27 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#28 /httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
#29 /httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#30 /httpdocs/index.php(97): Mage::run('', 'store')
#31 {main}

Any ideas?

Thank you in advance!

MedusaDelft · ‎04-27-2018

Nobody got a clue of to fix this??

Talesh · ‎04-28-2018

Is this really a SQL injection? I am not sure why this is on the security patches forum. To fix your bug modify the system to force the input to be an integer and your error should be all cleared up.

---------------------------------------------------
My Magento Security Podcast

MedusaDelft · ‎07-13-2018

This is a vulnerability. It is not a template option.