cancel
Showing results for 
Search instead for 
Did you mean: 

SQL injection vulnerability

SQL injection vulnerability

Hi all,

 

I recently took over the hosting of a 1.7.0.2 shop. I have patched this shop as it was missing several patches. For some reason I had to do it manually, as running the script did not work (although I did not get any messages). Maybe this was due to line differences. It took a long time, but the magento security scan passed.

 

Just last week, the site was scanned by a third party for weaknesses. It reported two high risk sql injection vulnerabilities. It has to do with  price[to]  and  price[from] when using the catalogsearch/advanced/result.

 

I've looked through all patches I applied (maybe I've missed something), but I could not found anything related with prices. Is this a known problem and more important, how can I fix this?

 

Thank you in advance for your help!

 

Best regards,

Maurice.

 

Edit: I have found out it has to do with the UTF8-character: e309

The query-string added is:   ?name=John&description=1&short_description=1&sku=1&merk=1&price%5Bto%5D=1e309&price%5Bfrom%5D=1&tax_class_id%5B%5D=0

which works when the  e309  character is omitted.  It also does not work when the character is set after any other parameter except price.

3 REPLIES

Re: SQL injection vulnerability

On suggestion, I've changed  ->getQuery()   in  ->getParams()    in the  AdvancedController, but that makes no difference.

 

To make the problem more clear, this url is used and generates the error log that follows:

/index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1

And the error log:

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'INF' in 'where clause'

Trace:
#0 /httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /httpdocs/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)
#3 /httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT DISTINCT...', Array)
#4 /httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(419): Zend_Db_Adapter_Pdo_Abstract->query('SELECT DISTINCT...', Array)
#5 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array)
#6 /httpdocs/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array)
#7 /httpdocs/app/code/core/Mage/CatalogSearch/Block/Advanced/Result.php(90): Varien_Data_Collection_Db->getSize()
#8 /httpdocs/app/design/frontend/default/bqp/template/catalogsearch/advanced/result.phtml(31): Mage_CatalogSearch_Block_Advanced_Result->getResultCount()
#9 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#10 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#11 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#12 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#13 /httpdocs/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml()
#14 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Text_List->_toHtml()
#15 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(586): Mage_Core_Block_Abstract->toHtml()
#16 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(530): Mage_Core_Block_Abstract->_getChildHtml('content', true)
#17 /httpdocs/app/design/frontend/default/bqp/template/page/2columns-right.phtml(56): Mage_Core_Block_Abstract->getChildHtml('content')
#18 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#19 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#20 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#21 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#22 /httpdocs/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml()
#23 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput()
#24 /httpdocs/app/code/core/Mage/CatalogSearch/controllers/AdvancedController.php(59): Mage_Core_Controller_Varien_Action->renderLayout()
#25 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_CatalogSearch_AdvancedController->resultAction()
#26 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('result')
#27 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#28 /httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
#29 /httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#30 /httpdocs/index.php(97): Mage::run('', 'store')
#31 {main}

Any ideas?

 

Thank you in advance!

Re: SQL injection vulnerability

Nobody got a clue of to fix this??

Highlighted

Re: SQL injection vulnerability

Is this really a SQL injection? I am not sure why this is on the security patches forum. To fix your bug modify the system to force the input to be an integer and your error should be all cleared up.

---------------------------------------------------
Subscribe to my Magento Security Podcast